The Shellshock vulnerability is out of control. Yahoo! and WinZip

The Shellshock vulnerability is out of control. Yahoo! and WinZip

Security researcher Jonathan Hall recently claimed to have discovered a botnet built by a Romanian hacker and used the Shellshock vulnerability to control the servers of a large number of well-known Internet companies, including the official website of Yahoo and the compression tool software WinZip.

Jonathan Hall recently released a Yahoo Server Vulnerability Report, revealing that Yahoo has admitted that there are two game servers (dip4.gq1.yahoo.com and api118.sports.gq1.yahoo.com) that have been intruded by botnets and obtained root privileges.

According to Hall, it was found that the Yahoo zombie server happened by accident. At that time, Hall was tracking the request for scanning the Shellshock vulnerability in the CGI server script of Hall's company server. Using this vulnerability, attackers could send commands to the server's operating system to remotely control the server. Hall traces attacks and scans a WinZip.com server. Hall also intruded into the server using the bash vulnerability and found a Perl script named ha. pl during server activity.

By analyzing the script content, Hall finds that this is an IRC botnet similar to a DDoS attack on the IRC server, however, after further analysis, Hall found that the botnet emphasizes Remote Control of the server through shell interaction and reports to an IRC channel through IRC code, which contains a large number of Romanian files.

Hall then connected the IRC communication channel of the botnet using the information obtained in the Perl script. through monitoring the IRC traffic, Hall found that many bot traffic come from servers of some large Internet companies, including lycos.com and yahoo.com.

Hall also found through Google search that a large number of website servers with the Shellshock vulnerability have become part of this botnet. Hall:

Google search found that almost every website without any vulnerability fix contains a file in the cig-bin or/tmp or/var/tmp directory that is used to connect to the IRC command to control the server. pl script. Some scripts have self-diffusion capabilities, similar to google search, but are more specific to search for specific domain name suffixes such as. com \. nz \. co. uk \. jp.

Hall's findings show that the bash shellshock vulnerability has been widely used by hackers. Attackers use Google search and other tools to discover Server Vulnerabilities and implant a large number of backdoors. Not only are security teams of large Internet companies concerned, but individual users also need to be wary of the impact of the Shellshock vulnerability. FireEye has issued a warning that hackers are using Bash Shellshock patch Windows to launch attacks against embedded devices such as qnap nas.

Gitlab-shell is affected by Bash CVE-2014-6271 Vulnerability

Linux security vulnerability exposure Bash is more serious than heartbleed

The solution is to upgrade Bash. Please refer to this article.

Bash remote parsing command execution vulnerability Test Method

This article permanently updates the link address: