Could the Shellshock Exploit Destroy Your Website?

UPDATED October 7, 2014: Keep Patching!

There have been several new patches since Shellshock was first patched, and you need to make sure that your server is still up-to-date, even if you patched on the first day.

Learn What You Need to Do to Protect Your Site

Shellshock is a huge security threat to the internet, but if you’re like most people, the technicalities underlying it make it hard to get too worried about other than in a general sense. After all, you may be thinking “Yes, I worry, but I worried about Heartbleed last month and nothing bad happened, so is this another one of those?”

Let Me Put the Dangers Shellshock Poses in Personal Terms

It’s one thing to hear that the exploit is  “using fast-moving worm viruses to scan for vulnerable systems and then infect them…” (source: The Times of India) or that they are creating botnets to attack Akamai with a distributed denial of service (DDoS) (source: itnews).

Yes, those sound bad, but they probably wouldn’t immediately affect your bottom line. So, it might be enough to just wait and see what happens.

But if You Run a Website Your Server Could Get Infected

And if your server gets infected the attackers could do all kinds of things that could directly impact you and your business. Things like:

  • Delete every page on your website
  • Deface every page on your website
  • Take control of your web database and steal all the data
  • Add back-door functions to your web forms and scripts to steal your customer’s information as they submit it to you—things like credit card numbers, email addresses, and any other information

I have had to deal with scenarios where portions of a website were deleted, defaced or hacked, and it’s not fun. Do you really want to have to report to your customers that their credit card information may have been stolen? Do you really want to rebuild your entire site from scratch? I know I don’t.

What To Do About Shellshock

The first thing you should be aware of are the devices and tools you use that might have Bash on them. This could affect things like: web servers, routers, Linux and Mac OS X Computers, and other devices.

If You’re Running a Web Server

If you run your own web server, you should immediately go and patch it. This exploit affects nearly any web server running Bash and nearly all Linux and Unix boxes run that. Here is a list of some popular Linux vendors and their information on patching for Shellshock:

If You Host Your Website

If you don’t run your own web server, but you host on another site, you should find out if they are running on Linux (most hosting companies are) and if they’ve patched their server. There are several experimental tools available on the web that you can use to test your site.

And if you have access to a shell prompt on your web server, you can test using the following script. Just go to your shell prompt and type:

env x='() { :;}; echo vulnerable' bash -c 'echo yay'

If your server is vulnerable you’ll get a response of:


If it’s not vulnerable, you’ll get a response of:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

Contact Your Web Hosting Provider

If you run these tests and your web server is vulnerable, you should contact your hosting provider immediately. Right after you contact them, you should then backup your entire website, including any scripts, databases, images and so on. Then if your server is attacked before your provider patches it, you have a current backup.

If You Run a Mac with Mac OS X

Mac OS X is currently vulnerable, and Apple has not yet released a patch. However Apple says “The vast majority of OS X users are not at risk to recently reported bash vulnerabilities…” (source: iMore). This is because the system is protected by default, and advanced Unix services would need to be enabled to disable that protection.

If you have enabled Bash on your Mac OS X system, you should take it back to the factory settings for now. Or you can patch it manually with the instructions at LinuxNewsPro but only do this if you know what you’re doing. If you don’t know what I mean by advanced Unix services, do not do anything. Just wait for the Apple patch.

If You Have Other Things Running Bash That Could be Attacked by Shellshock

Your best bet is to contact your support or service providers for them to find out if they have provided a patch. Many router companies have already got them up, or are working hard on a patch. Symantec also has created an Intrusion Prevention signature for protection against this exploit.