Can you send a few more details of the scans to tim [at] wordfence.com. I want to pass that to the dev team to ask. I’d be interested in anything you saw in the log that flagged it for you.
I know all our servers in the data center were patched very soon after we announced it on our site here:
http://www.wordfence.com/blog/2014/09/major-bash-vulnerability-disclosed-may-affect-a-large-number-of-websites-and-web-apps/
I’ll let you know what the dev team says.
Thanks!
tim
Hi Tim,
I have a plugin called “WP Sattistics” showing all the User Agents visiting the website (it’s still under construction, with a plugin protecting the actual pages).
I see agents such as:
– masscan (both the “good” one by Robert David Graham and the fakes one by black-hat hackers);
– shellshock-scan
And as “Platforms” (such as Android, iOS, Windows, etc.) wierd things that are malware scanners, eg. “-c 1 198.101.206.138” and other strings.
See an exemple:
1st row = my website
2nd/3rd/4th/5th rows = User Agent, Platform, version, UAString
6th/7th rows = IP, location
<Row>
<Cell><Data ss:Type=”String”>http://www.[munged].it</Data></Cell>
<Cell><Data ss:Type=”String”>() { :;}; </Data></Cell>
<Cell><Data ss:Type=”String”>-c \"echo testing9123123\"; /bin/uname -a</Data></Cell>
<Cell><Data ss:Type=”String”>bin/bash</Data></Cell>
<Cell><Data ss:Type=”String”></Data></Cell>
<Cell><Data ss:Type=”String”>54.251.83.67</Data></Cell>
<Cell><Data ss:Type=”String”>SG</Data></Cell>
</Row>
I agree it would be nice to block these.
Until then you can test your server for the vulnerability with a plugin.
https://wordpress.org/plugins/shellshock-check/
