Shellshock: How do I know if my server is compromised + suspicious files to look out for
How do I know if my server is already compromised due to the Shellshock bug?
You don't. That's the idea of a security vulnerability. If you had to click Let the crackers in? OK/Cancel it wouldn't be much of a vulnerability.
You may have some luck checking the logs of your attack vectors, but given that so many services are vulnerable and not all of them log every access, it's likely not possible to conclusively find an attack.
If it was compromised, is there a particular folder where I should look for malicious files?
No, a malicious file could be anywhere.
Common rootkits install themselves in /root or / or /tmp or one of the binary paths but really they could be anywhere. They might have a name similar to a real service or something "important" looking like "IPTables" or "kernel-bin" but they could also be random strings of characters or the same name as a genuine binary (just in a different path). You can spot a really obvious rootkit loading in /etc/rc.local or making connections via netstat -neopa. Look for suspicious process names in top -c.
A less common and much more difficult to find rootkit replaces a library or loads itself as a shim library and intercepts system calls. This is almost impossible to find unless you strace/ltrace every single thing running on your system and compare the behaviour with the expected behaviour of a known-good system or source code.
It would be quicker, easier, and more conclusive to just reload the system.
How does a malicious file look like?
Probably like any other regular ELF binary or library. It may also be a script.
In conclusion, if you think there's a possibility that your system has been compromised, treat the system as if it has been compromised and take necessary measures.
shellshock isn't a worm so there are no files to look for. Shellshock is a way to attack a network to gain entry. Once inside who knows what the attacker will do.
I have seen one attempt at exploiting the bug, which would install an IRC bot as /var/tmp/x. But in general there are no particular files to look for, since they could be anywhere or nowhere.
If you got compromised through the web server then any new file or process owned by the web server user would be suspicious.
In case an attacker used first the bash bug to enter the system and next a local vulnerability to become root, it could become almost impossible to spot.
Also look at this similar question.
I would echo the answer from suprjami and say that if your system is vulnerable then you should treat it as compromised.
If you are running apache you can check the logs for Shellshock intrusion attempts with the following command:
[root@server ~]# grep cgi /var/log/httpd/access*|egrep "};|}\s*;"
This command extracts all lines containing "cgi" from Apache's access logs (by default called access_log, access_log.1, access_log.2 etc) then pipes it into egrep with the regex.
(Source: http://linux.slashdot.org/story/14/09/24/1638207/remote-exploit-vulnerability-found-in-bash)
Since there are several attack vectors for Shellshock, some of them yet being unknown for general public or caused by a custom CGI script, there is no definite way to tell if you are compromised or not.
In addition to usual "let's see if some system files have changed or something else suspicious has happened lately" approach you might want to keep your eye on your server behaviour.
- Is there suddenly lot more network traffic?
- Did the CPU/memory usage change a lot?
- Is something eating up the disk space or causing more I/O much more than usually?
- Does
netstatshow strange network connections orps auxshow processes you don't recognize? - Does your server suddenly send out much more e-mail than before?
If you have proper server health monitoring (such as Zabbix) up and running, it can help you finding out security breaches, too. You can also compare the MD5/SHA sums of system files to a known good backup.
Just basically act as your server had been compromised and investigate everything you can think of.