Glibc: GHOST Vulnerability Test To See If a Linux Sever Is Secure

in Categories , , , , last updated May 3, 2017

The GHOST (CVE-2015-0235) is serious network function vulnerability in Glibc. How do I check and test if a my Linux based server is secure using command line options?

There are two methods to test and find out if your server or desktop powered by Linux is secure or not:

(a) A simple C test program for all Linux based servers (distro independent; generic method).

(b) A simple bash shell test program for RHEL or CentOS or Scientifc Linux server only.

Method #1: GHOST.C Glibc Vulnerability Test C Program

Type the following wget command to download GHOST.C on a Linux based system:

## OR
wget -O GHOST.c

Compile it:

gcc -o GHOST GHOST.c

Test i:


Sample outputs:

Fig. 01: GHOST.c  bug:  A simple way to test if Linux system is secure or not
Fig. 01: GHOST.c bug: A simple way to test if Linux system is secure or not

Method #2: Vulnerability Test Bash Script

Visit this url to download a script (or grab it here). You need to have an account with RHN. The script tells whether your system is vulnerable or not. Run script as follows:

wget -O

Sample outputs:

Fig.02: Fig.02: output on a RHEL/CentOS  based system
Fig.02: Fig.02: output on a RHEL/CentOS based system

What to do if my server is not secure or Vulnerable to the Ghost attack?

See this tutorial page for securing your server by applying patches to glibc.

This entry is 1 of 2 in the Linux GHOST Glibc Critical Security Vulnerability series. Keep reading the rest of the series:
  1. Check Ghost Vulnerability Test Programs
  2. Secure and Patch Your Linux Server For Ghost Bug

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

Share this on (or read 17 comments/add one below):

17 comment

  1. The md5sum of the GHOST.c code from the website that I tested with is


    You should always check this before compiling downloaded code, otherwise the next exploit on you will be a man in the middle attack.

    1. There are probably slightly different versions going around with differing whitespace, etc. I mentioned the site because its probably more static than the gist URL. Either way, just make sure that you’re downloading something legit.

      1. I would agree with that last sentence. But then, how trustworthy am I? You might try to see if you can reverse the hash I posted.

        Reviewing the code might not be entirely sufficient as the MITM could exclude vulnerable versions but ilthe code could appear safe to run.

  2. Single Step:

    # curl -L | sh -s --
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100  2172  100  2172    0     0   7676      0 --:--:-- --:--:-- --:--:--  7674
    Vulnerable glibc version <= 2.17-54
    Vulnerable glibc version <= 2.5-122
    Vulnerable glibc version <= 2.12-1.148
    Detected glibc version 2.17 revision 55
    Not Vulnerable.
  3. $ md5sum GHOST.c
    a19b0657c80d74ea5c4f4544dc9998c5 GHOST.c
    $ md5sum

    $ ./GHOST
    $ bash
    Vulnerable glibc version <= 2.17-54
    Vulnerable glibc version <= 2.5-122
    Vulnerable glibc version <= 2.12-1.148
    Detected glibc version 2.12 revision 149
    Not Vulnerable.

  4. A practical thing (hope it could be helpful for anyone). You don’t need to reboot the whole server after updating. If you are not able to do reboot — use this cmd which relaunchs only several applications that actually use vulnerable glibc:

    for s in $(lsof | grep libc | awk '{print $1}' | sort | uniq); do if [[ -f "/etc/init.d/$s" && "$(ps aufx | grep -v grep | grep $s)" ]]; then echo $s; service $s restart; fi; done


  5. #!/bin/bash
    #GHOST vulnerability detector (DEBIAN & co.)
    libc_main_vers=$(dpkg -l | grep libc6 | awk '{ print $3 }' | awk -F . '{ print $1 }')
    upd=$(dpkg -l | grep libc6| awk '{ print $3 }'| tail -c 2)
    sub=$(dpkg -l | grep libc6| awk '{ print $3 }'| awk -F . '{print$2}' |head -c 2)
    for ver in ${libc_main_vers}; do
        if (( ver = 2  && upd >= 7 && sub >= 12 )); then
            echo not vulnerable
            if ((ver > 2 )); then
                    echo not vulnerable
                    echo "vulnerable to GHOST (CVE-2015-0235)"
    exit 0  

    This is the script working for Debian (

  6. Great write up!

    Are Solaris glib packages vulnerable? Not finding anything online (or from Oracle) about it.



  7. sorry guys…my server doesnt have rpm package..and i am unable to connect it to any internet connection since it is prohibited. But i still need to check the vulnerability of our system. How can i do it ? thx

    Have a question? Post it on our forum!