First Shellshock Botnet Attacking Akamai, US DoD Networks

← Back to Stories (view on slashdot.org)

First Shellshock Botnet Attacking Akamai, US DoD Networks

Posted by samzenpus on Thursday September 25, 2014 @11:40AM from the that-didn't-take-very-long dept.

Bismillah writes The Bash "Shellshock" bug is being used to spread malware to create a botnet, that's active and attacking Akamai and Department of Defense networks. "The 'wopbot' botnet is active and scanning the internet for vulnerable systems, including at the United States Department of Defence, chief executive of Italian security consultancy Tiger Security, Emanuele Gentili, told iTnews. 'We have found a botnet that runs on Linux servers, named “wopbot", that uses the Bash Shellshock bug to auto-infect other servers,' Gentili said."

13 of 236 comments (clear)

Min score:

Reason:

Sort:

Re:Question about how this works by dskoll · 2014-09-25 12:26 · Score: 4, Informative

Apache passes user-supplied content to CGI scripts as environment variables, so any CGI written in bash or that invokes bash (via system(), for example, on an OS that uses bash as /bin/sh) could be used as an exploit vector.
Re:Question about how this works by brantondaveperson · 2014-09-25 12:29 · Score: 5, Informative

Rubbish. It certainly does not. It depends on inputs getting into environment variables which wind up eventually inside of bash. Which then goes "oh, look. code! I think I'll run that", and runs it.
Thanks bash.
Thash.
Only the beginning by Solozerk · 2014-09-25 12:33 · Score: 5, Informative

It's not the only botnet being constructed, see my comment here - already 653 exploited servers there right now.
This is quite bad - as long as a bash CGI script is found by probing, exploiting only require putting a bash command in a header such as "Cookie:" for it to be executed. And this is only through HTTP - there are also aready other proof of concepts exploiting this through other bash-using services (DHCP servers for example).
You can check if you've been scanned for exploitable CGIs using something like (adjust apache logs path accordingly):

grep cgi /var/log/apache2/access*|egrep "};|}\s*;"

And you can check if your bash is vulnerable using:

env x='() { :;}; echo vulnerable' bash -c 'echo Testing...'

If 'vulnerable' appears, it is.
1. Re: Only the beginning by peppepz · 2014-09-25 13:44 · Score: 2, Informative
  
  FreeBSD is vulnerable to this attack as much as Linux, or Windows. It's a bug in an application, not in the OS.
2. Re:Only the beginning by VValdo · 2014-09-25 14:07 · Score: 3, Informative
  
  only on 14.04... 1.3 is coming, I'm told..
  
  --
  -------------------
  This is my SIG. There are many like it, but this one is mine.
3. Re:Only the beginning by geckoFeet · 2014-09-25 14:25 · Score: 3, Informative
  
  Yay! I have been scanned - but my little webserver doesn't run any cgi scripts, so they got 404'd. They were looking specifically for defaultwebpage.cgi:
  root@stinky:/home/gecko# grep cgi /var/log/apache2/access*|egrep "};|}\s*;" /var/log/apache2/access.log:89.207.135.125 - - [25/Sep/2014:02:28:52 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 319 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
Re:Question about how this works by _xeno_ · 2014-09-25 12:35 · Score: 4, Informative

Well, Apache and literally every other CGI container since that's how CGI works: the HTTP environment (headers and various other stuff) is passed to the script being executed via specifically named environment variables.

--
You are in a maze of twisty little relative jumps, all alike.
Re:patched my servers last month by mhatle · 2014-09-25 13:38 · Score: 4, Informative

Fix for CVE-2014-7169 was posted only a small bit ago:
http://www.openwall.com/lists/oss-security/2014/09/26/1
Re:Question about how this works by grcumb · 2014-09-25 13:57 · Score: 5, Informative

inputs getting into environment variables which wind up eventually inside of bash.
So we agree. Good-o.
No, you twit. Bash will read the environment variables sent to it by CGI, which populates the environment parameters before you can sanitise the inputs. By the time you're ready to begin parsing and sanitising, the damage is already (potentially) done.
The implications of this are far-reaching, and the only way to be reasonably secure is to patch the bash executable.

--
Crumb's Corollary: Never bring a knife to a bun fight.
Re:Amazing... by DrugCheese · 2014-09-25 19:54 · Score: 3, Informative

Bash is an OS? You can uninstall bash and have everything run just as smooth with a replacement shell. Unlike a certain OS where you can't even remove a web browser and expect it to boot up ...

--
*DrugCheese rants*
Re:Question about how this works by pantaril · 2014-09-25 22:16 · Score: 3, Informative

but if you don't do something stupid like eval your those environment variables it doesn't turn into such a mess.
Your CGI script doesn't need to do anything at all. The rogue code injected into the env. variables is parsed and executed by bash when it sets-up the environment for your script.
Re:Suspicious screenshot by AlterEager · 2014-09-26 00:33 · Score: 4, Informative

Didn't I just say that? You'd have to explicitly invoke #!/bin/bash. I know of very few scripts that do that; most use #!/bin/sh.
Well, on my Debian unstable machine:
# find / -mount -type f | while read x ; do if [ "`head -1 $x | grep '^#\!/bin/bash'`" ]; then echo $x; fi; done 2>/dev/null /bin/zdiff /bin/fgrep /bin/zgrep /bin/zless /bin/zfgrep /bin/uncompress /bin/zcmp /bin/gzexe /bin/gunzip /bin/zegrep /bin/zforce /bin/zmore /bin/zcat /bin/egrep /bin/znew /etc/bash_completion.d/pulseaudio-bash-completion.sh /etc/auto.net /etc/auto.smb /etc/init.d/minissdpd /etc/init.d/nfs-common /var/lib/dpkg/info/bash-completion.postinst /var/lib/dpkg/info/grub-pc.preinst /var/lib/dpkg/info/grub-pc.postrm /var/lib/dpkg/info/ca-certificates-java.postinst /var/lib/dpkg/info/gdm3.prerm /var/lib/dpkg/info/desktop-base.postinst /var/lib/dpkg/info/grub-pc.postinst /var/lib/dpkg/info/bash-completion.postrm /var/lib/dpkg/info/grub-pc.prerm /var/lib/dpkg/info/dash.preinst
Ugly.
Re:Question about how this works by coofercat · 2014-09-26 00:54 · Score: 3, Informative

There are other vectors - in fact, any place that the website code (be it C, PHP, Java, Perl, whatever) runs another program *via* the shell. It depends on the language as to how this can happen. In perl, if you don't specify the full path to the thing you're calling, and you don't use a list for each argument then it'll go via the shell as a helper to make it do what you want. Obviously, anywhere you've called something as "sh -c /some/path/thing", then you're also going via the shell.
Simply calling something via the shell (or calling a shell script) isn't enough - you also need to pass some environment variables populated with user input. This seems incredibly unlikely except in CGIs. In most cases, you'd probably pass some command line arguments (maybe from user input), and you might statically set an environment variable or two (perhaps for a password or something). Those aren't a problem - it's only user input.
For anyone running CGI, you're most likely at risk. For anyone not doing so, you're probably not at risk, but code review will tell you for sure. This is no heartbleed (as the media seem to be making out), but it's pretty serious for anyone vulnerable.
As for how to scan for it - well, good luck there, it could be anywhere, and it could be nowhere. You'd literally have to scan every single URL on a site to find a problem - and even then you might still miss it.