The Shellshock vulnerability is out of control. Yahoo! and WinZip

Source: Internet
Author: User
Tags perl script

The Shellshock vulnerability is out of control. Yahoo! and WinZip

Security researcher Jonathan Hall recently claimed to have discovered a botnet built by a Romanian hacker and used the Shellshock vulnerability to control the servers of a large number of well-known Internet companies, including the official website of Yahoo and the compression tool software WinZip.

Jonathan Hall recently released a Yahoo Server Vulnerability Report, revealing that Yahoo has admitted that there are two game servers ( and that have been intruded by botnets and obtained root privileges.

According to Hall, it was found that the Yahoo zombie server happened by accident. At that time, Hall was tracking the request for scanning the Shellshock vulnerability in the CGI server script of Hall's company server. Using this vulnerability, attackers could send commands to the server's operating system to remotely control the server. Hall traces attacks and scans a server. Hall also intruded into the server using the bash vulnerability and found a Perl script named ha. pl during server activity.

By analyzing the script content, Hall finds that this is an IRC botnet similar to a DDoS attack on the IRC server, however, after further analysis, Hall found that the botnet emphasizes Remote Control of the server through shell interaction and reports to an IRC channel through IRC code, which contains a large number of Romanian files.

Hall then connected the IRC communication channel of the botnet using the information obtained in the Perl script. through monitoring the IRC traffic, Hall found that many bot traffic come from servers of some large Internet companies, including and

Hall also found through Google search that a large number of website servers with the Shellshock vulnerability have become part of this botnet. Hall:

Google search found that almost every website without any vulnerability fix contains a file in the cig-bin or/tmp or/var/tmp directory that is used to connect to the IRC command to control the server. pl script. Some scripts have self-diffusion capabilities, similar to google search, but are more specific to search for specific domain name suffixes such as. com \. nz \. co. uk \. jp.

Hall's findings show that the bash shellshock vulnerability has been widely used by hackers. Attackers use Google search and other tools to discover Server Vulnerabilities and implant a large number of backdoors. Not only are security teams of large Internet companies concerned, but individual users also need to be wary of the impact of the Shellshock vulnerability. FireEye has issued a warning that hackers are using Bash Shellshock patch Windows to launch attacks against embedded devices such as qnap nas.

Gitlab-shell is affected by Bash CVE-2014-6271 Vulnerability

Linux security vulnerability exposure Bash is more serious than heartbleed

The solution is to upgrade Bash. Please refer to this article.

Bash remote parsing command execution vulnerability Test Method

This article permanently updates the link address:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.