gogusan Posted September 28, 2014 Report Posted September 28, 2014 (edited) Thread annouce: https://rstforums.com/forum/90178-hackerii-au-inceput-sa-exploateze-vulnerabilitatea-shellshock-una-dintre-cele-mai.rstCum apare in loguri atacul:54.251.83.67 - - [28/Sep/2014:09:48:17 +0300] "GET / HTTP/1.0" 200 934 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"Cum facem testul?[root@zeus ~]# [B]export testbug='() { :;}; echo VULNERABIL'[/B][root@zeus ~]# [B]bash -c "echo TEST"[/B][COLOR="#B22222"]VULNERABIL[/COLOR]TEST[root@zeus ~]#Fixul: 1. prin update la sistem (la yum update bash : bash x86_64 4.1.2-15.el6_5.2 updates 905 k)sau2. prin scriptul de la shellshocker.net: curl https://shellshocker.net/fixbash | shtest dupa fix:[root@zeus ~]# export testbug='() { :;}; echo VULNERABIL'[root@zeus ~]# bash -c "echo TEST"TEST[root@zeus ~]#FAIL2BAN Detect and BAN:facem fiserul de filtru[root@zeus]# nano /etc/fail2ban/filter.d/shellshock.conf#54.251.83.67 - - [28/Sep/2014:09:48:17 +0300] "GET / HTTP/1.0" 200 934 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"[Definition]failregex = ^<HOST> - - (?:\[[^]]*\] )+\"GET.*HTTP/1.1\".*(};|}\s;).*ignoreregex =Adaugam filtrul in jail.conf[root@zeus]# nano /etc/fail2ban/jail.conf[shellshock]enabled = truefilter = shellshockaction = iptables-multiport[name=shellshock]logpath = [COLOR="#FF0000"]calea_voastra_catre_access.log[/COLOR]bantime = 3600findtime = 60maxretry = 1[root@zeus]# service fail2ban reloadsi daca executam iptables -L vom avea regula de fail2ban afisata:[root@zeus]# iptables -LChain INPUT (policy ACCEPT)target prot opt source destinationfail2ban-shellshock tcp -- anywhere anywhere multiport dports ssh Edited September 28, 2014 by gogusan Quote