Testing for the Shellshock Bash Vulnerability

Shellshock (or Shell Shocker) is the name given to a recent vulnerability affecting systems running the Bash shell. Bash is the default shell on most Unix/Linux systems, so it’s a big deal.

If You’re Using a Hosting Provider

Most hosting providers (all the good ones) have already either contacted their customers or posted about it on their news or blog section of their website. It’s possible that you won’t be able to run a test on your site because you don’t have access. If you’re in doubt, contact your host and ask them.

If You’re Running Your Own Servers

You should already be updating your systems regularly as best practice, so I’m assuming you’ve done that already. However, since you’re running you’re own systems, you should test to make sure you’re not vulnerable.

Manually Running Bash Commands

Rather than repeat what’s already covered on other sites, check out Further Shellshock Reading below for links where you’re find ample sample commands.

Shellshocker.net Test Site

The health IT team at Medical Informatics Engineering have created a site with instructions for checking your site. To get started, head over to shellshocker.net where they have a simple explanation of the Shellshocker Bash vulnerability as well as some instructions on different ways of testing.

shellshocker-scan

Below you can see what the testing tool looks like:

check-site

Shellshock Test WordPress Plugin

ManageWP have released a WordPress plugin that checks for shell shock. At the time of writing it’s pending review to be included in the WordPress plugin directory, so you have to download it and upload to your site to install it.

Once you’ve installed the plugin, activate it:

shellshocker-wordpress

You’ll then see a new option under Settings labelled ‘Shellshock':

check-shellshock

Once you’ve installed it on your website, run it and you’ll hopefully see something like this:

shell-shock-testing-ok

You can download and get more information about the ManageWP Shellshock test plugin here:

The team at ManageWP have already posted some good reading on the topic.

How to Fix the Shellshock Vulnerability

The best way to address this issue is to apply updates to your system. I’ll add pages from the common distributions below as they start getting published.

Further Shellshock Reading

If you’re looking for more information on shellshock, here are some of the best articles I’ve come across:

Other Testing Sites

Here’s a long list of commands:

And some more testing sites and scripts:

If you’re interested in web security, I’d highly recommend following the Sucuri team, their blog is always a great source of current news. You can find the Sucuri blog here.

Australian Web Hosting Providers

The topic of "who is a good Australian web host" is something that often comes up at various tech events. At a recent Meetup, I was lucky enough to be talking to a few folks involved in the local web hosting and web development industries. I asked … [Continue reading]

WordCamp 2013 Melbourne

If you haven't already heard, WordCamp 2013 is on in Melbourne! It's a fantastic community-focused event and the line up of speakers is spectacular! When: Saturday 27 - Sunday 28 April 2013 Where: Storey Hall (Building 16) RMIT, 342 Swanston … [Continue reading]

WordCamp Sydney 2012

If you've caught up with me lately chances are you've heard me rabbiting on about WordCamp. WordCamp is an informal get together of WordPress users and developers that's being held during 21-21 of July 2012 in Sydney. It's 2 days of WordPress heaven, … [Continue reading]