aelius Posted October 10, 2014 Report Posted October 10, 2014 (edited) O regula simpla cu care puteti face logging sau puteti bloca shellshock.iptables -I INPUT -p tcp -m string --algo bm --string "() {" --dport 80 -j LOG --log-prefix "shellshock rule 1: "Cum apare ?pluto:~# dmesg[12526689.726816] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=192.185.82.92 DST=xxx.xxx.88.5 LEN=287 TOS=0x00 PREC=0x00 TTL=45 ID=21610 DF PROTO=TCP SPT=39893 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0[12573352.452710] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=108.163.187.146 DST=xxx.xxx.88.10 LEN=421 TOS=0x00 PREC=0x00 TTL=48 ID=25760 DF PROTO=TCP SPT=42647 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0[12573362.110534] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=184.106.196.169 DST=xxx.xxx.88.7 LEN=419 TOS=0x00 PREC=0x00 TTL=48 ID=55433 DF PROTO=TCP SPT=40201 DPT=80 WINDOW=183 RES=0x00 ACK PSH URGP=0[12573364.514235] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=110.44.30.204 DST=xxx.xxx.88.6 LEN=429 TOS=0x00 PREC=0x00 TTL=40 ID=20190 DF PROTO=TCP SPT=38820 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0[12573369.889964] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=194.28.86.63 DST=xxx.xxx.88.5 LEN=420 TOS=0x00 PREC=0x00 TTL=56 ID=32172 DF PROTO=TCP SPT=48732 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0[12576046.844450] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=72.249.151.145 DST=xxx.xxx.88.5 LEN=428 TOS=0x00 PREC=0x00 TTL=48 ID=11314 DF PROTO=TCP SPT=46735 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0[12581893.832430] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=89.47.247.48 DST=xxx.xxx.88.4 LEN=427 TOS=0x00 PREC=0x00 TTL=56 ID=47806 DF PROTO=TCP SPT=40027 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0[12582722.880301] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=394 TOS=0x00 PREC=0x00 TTL=51 ID=34666 DF PROTO=TCP SPT=45498 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0[12582723.333809] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=397 TOS=0x00 PREC=0x00 TTL=51 ID=59992 DF PROTO=TCP SPT=45599 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0[12582723.800026] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=370 TOS=0x00 PREC=0x00 TTL=51 ID=5234 DF PROTO=TCP SPT=45681 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0[12582724.856256] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=367 TOS=0x00 PREC=0x00 TTL=51 ID=13614 DF PROTO=TCP SPT=45879 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0[12582725.330168] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=379 TOS=0x00 PREC=0x00 TTL=51 ID=19157 DF PROTO=TCP SPT=45962 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0[12582725.800422] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=397 TOS=0x00 PREC=0x00 TTL=51 ID=53517 DF PROTO=TCP SPT=46069 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0[12582726.258118] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=370 TOS=0x00 PREC=0x00 TTL=51 ID=53738 DF PROTO=TCP SPT=46149 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0[12582726.708889] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=180.210.205.209 DST=xxx.xxx.88.10 LEN=367 TOS=0x00 PREC=0x00 TTL=51 ID=29443 DF PROTO=TCP SPT=46236 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0[12582822.019042] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=23.95.95.168 DST=xxx.xxx.88.8 LEN=426 TOS=0x00 PREC=0x00 TTL=45 ID=51576 DF PROTO=TCP SPT=47145 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0[12583500.543438] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=173.83.247.209 DST=xxx.xxx.88.6 LEN=304 TOS=0x00 PREC=0x00 TTL=54 ID=35104 DF PROTO=TCP SPT=57258 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0[12584394.167981] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=103.23.21.67 DST=xxx.xxx.88.5 LEN=427 TOS=0x00 PREC=0x00 TTL=45 ID=29985 DF PROTO=TCP SPT=44368 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0[12606520.929034] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=94.23.42.182 DST=xxx.xxx.88.7 LEN=419 TOS=0x00 PREC=0x00 TTL=58 ID=19046 DF PROTO=TCP SPT=36147 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0[12606529.908862] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=85.232.60.34 DST=xxx.xxx.88.5 LEN=420 TOS=0x00 PREC=0x00 TTL=51 ID=14367 DF PROTO=TCP SPT=49751 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0[12606541.611815] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=67.198.141.98 DST=xxx.xxx.88.6 LEN=429 TOS=0x00 PREC=0x00 TTL=51 ID=8906 DF PROTO=TCP SPT=33844 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0[12609706.584728] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=67.23.9.241 DST=xxx.xxx.88.5 LEN=428 TOS=0x00 PREC=0x00 TTL=45 ID=10222 DF PROTO=TCP SPT=43102 DPT=80 WINDOW=92 RES=0x00 ACK PSH URGP=0[12616465.783127] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=67.23.9.241 DST=xxx.xxx.122.5 LEN=427 TOS=0x00 PREC=0x00 TTL=45 ID=24709 DF PROTO=TCP SPT=40671 DPT=80 WINDOW=92 RES=0x00 ACK PSH URGP=0[12617580.394705] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=213.238.169.117 DST=xxx.xxx.88.8 LEN=426 TOS=0x00 PREC=0x00 TTL=47 ID=13535 DF PROTO=TCP SPT=58437 DPT=80 WINDOW=115 RES=0x00 ACK PSH URGP=0[12619408.726456] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=202.181.246.66 DST=xxx.xxx.88.5 LEN=427 TOS=0x00 PREC=0x00 TTL=41 ID=13254 DF PROTO=TCP SPT=26414 DPT=80 WINDOW=46 RES=0x00 ACK PSH URGP=0[12659626.759636] shellshock rule 1: IN=eth0 OUT= MAC=ac:22:0b:79:90:62:c4:71:fe:11:f9:ff:08:00 SRC=192.254.250.180 DST=xxx.xxx.102.3 LEN=293 TOS=0x00 PREC=0x00 TTL=46 ID=61584 DF PROTO=TCP SPT=22274 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0Note: - Am specificat doar port 80 iar regula este doar pentru logging. Se poate adauga una pentru logging si alta pentru reject/drop - Mai multe despre shellshock aici: http://en.wikipedia.org/wiki/Shellshock_(software_bug) - Mi-a venit ideea asta pentru ca multi sunt tentati sa foloseasca snort. Probabil stiti ca la reguli multe, snort consuma foarte multe resurse CPU Edited October 10, 2014 by aelius 1 Quote
aelius Posted October 11, 2014 Author Report Posted October 11, 2014 Nu da. Am urmarit log-urile cu tail. Si apoi cine stie ca se face detectie pe "() {" sa puna spatii aiurea pentru a nu face trigger.In orice caz, e o balarie de bug atata timp cat nu se folosesc scripturi cgi-bin. Quote
aelius Posted October 11, 2014 Author Report Posted October 11, 2014 O sa dea mai devreme sau mai târziu, ce voiam sa spun e ca nu e 100% safe. Dac? era regula aia în iptables pe rst d?dea false positive de fiecare data când am postat amândoi în topicul asta ca g?sea stringul respectiv în packet (si daca nu era https desigur, dar la fel de u?or se poate întâmpla pe orice alt site) Sent from my phone using TapatalkDa, clar. Nu face diferenta intre request si continut. Daca adaugi regula cu string "muje" nici nu o sa poti scrie asta pe forum (desigur, doar pe http) Quote
Guest Posted October 16, 2014 Report Posted October 16, 2014 Are intr-adevar si minusuri, insa aceasta metoda de detectie este destinata utilizatorilor ce-si folosesc serverele pentru uz personal si privat, care nu detin cunostinte tehnice sa-si aplice patch-urile pe bash and so on.Nici nu vreau sa ma gandesc ca ar putea exista utilizatori ce folosesc serverele in scop comercial si aplica reguli de genul.Oricum, lasand la o parte toate detaliile de gen, ar trebui sa-i multumiti lui @aelius pentru ca-si gaseste timp sa va mai invete cateceva util, in loc sa faceti topicuri cu stealere, scannere si bruteforce-uri (aici vorbesc in general, nu ma refer la cineva anume). Quote