Sysdig Now Detects Shellshock Intrusions For Fun And Profit

The folks at Sysdig have your back, sysadmins. The founder, Loris Degioanni, has posted an update to his open source system monitor that can look for Shellshock attacks in real time. Because the HTTP requests used by Shellshock exploits are quite unique, the monitor can watch for attacks on the bash shell automatically and let you know when hackers are trying to get in.

From Degioanni’s website:

Using sysdig to capture all the bash executions is trivial, but in order to make things even easier, we spent a couple hours today putting together a new sysdig release that contains a new chisel called shellshock_detect. The chisel captures all the bash executions for which the environment variables match the Shellshock signature, and for each of them it prints

The time
The victim process’ name and pid (ie. the process that has been attacked with the malicious payload and that will execute bash)
The injected function (i.e. what bash is going to execute)

The resulting output, created by a tool they call a chisel, is pretty jarring if you’re being attacked. For example, you could see stuff like this:

13:51:18.779785087 apache2 2746 () { test;};echo "Content-type: text/plain"; echo; echo; /bin/cat /etc/passwd

For those of you unfamiliar with bash syntax, that attacher was using a web server to steal a passwords file anonymously. Scary stuff.

While this exploit seems more esoteric than Heartbleed ever was, rest assured it’s still a dangerous problem. Get thee to the updatery and make sure your systems are updated.