I am running Ubuntu with Plesk Onyx. This comes with nginx as the proxy, and Apache with varying options of PHP.
I woke to find that the websites hosted on the server were returning 502 Bad Gateway.
Looking at the logs, one of the websites had a very strange user agent and referrer:
() { :;}; echo; echo \x22f5d463ef8e86a21c440eccc11b308080\x22
The issue resolved itself with a server restart, but the websites were still down during this time.
Seems like a pretty dangerous exploit. I'm looking for ideas on preventing this at any level (at Plesk, at NGINX, firewalls or other methods). Thank you.
Your server has been scanned for "Shellshock" (CVE-2014-6271) vulnerability.
You can try to mitigate this with any Web Application Firewall (WAF) like mod_security. You may also try some online scanner to check you system or verify it locally.
But it's quite strange that apache down because of some requests of headers it's maybe a performance issue.
It's strongly recommended to apply all system and security updates and always keep system up-to-date.