I've patched my servers, but I'd also like to review my logs to see if there have been any compromises on them. Are there any consistent traces of exploits using this bug?
-
perhaps, but there is no common signature, because it is an arbitrary code execution bug. the attacker can pack whatever malicious payload they like in the environment variables they are poisoning. Better question, do you run any CGI bin scripts? otherwise you mostly need to authenticate via SSH in order to exploit, so check your logs for unexpected ssh logins.– Frank ThomasCommented Sep 25, 2014 at 20:36
Add a comment
|
1 Answer
I caught some hits in the logs with:
grep -r '"()' /var/log/httpd/
grep -r "'()" /var/log/httpd/
-
1To note that the paths used might differ based on your actual server, e.g. lighttpd would use
/var/log/lighttpd/
instead.– MarioCommented Sep 27, 2014 at 7:37