Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Shellshock Botnet Attacking Akamai, US DoD Networks

Posted by samzenpus on from the that-didn't-take-very-long dept.

Bismillah writes The Bash "Shellshock" bug is being used to spread malware to create a botnet, that's active and attacking Akamai and Department of Defense networks. "The 'wopbot' botnet is active and scanning the internet for vulnerable systems, including at the United States Department of Defence, chief executive of Italian security consultancy Tiger Security, Emanuele Gentili, told iTnews. 'We have found a botnet that runs on Linux servers, named “wopbot", that uses the Bash Shellshock bug to auto-infect other servers,' Gentili said."

3 of 236 comments (clear)

  1. Re:Question about how this works by _xeno_ · · Score: 4, Insightful

    I'm confused about how you can scan for vulnerable systems.

    You and everyone else.

    The attack surface is "anywhere you can influence the values of environment variables prior to bash being run." Where exactly is that? Well...

    The easiest example of that are CGI scripts, where the web server will set environment variables to values that are taken directly from HTTP headers. If the CGI script is a bash script (why would you do that?) or ever happens to fork out to a bash script in any way (that's more understandable), it's vulnerable.

    But that's just one example. Any place a remote value gets stuck straight into an environment variable and a bash script gets run is vulnerable. And people are almost certainly going to slowly find more and more places where that's the case.

    If you just want to know if you're vulnerable, there are one-liners that will determine if you're still vulnerable, but since the first fix didn't, chances are, you very well could be.

    --
    You are in a maze of twisty little relative jumps, all alike.
  2. Re:patched my servers last month by tjb6 · · Score: 4, Insightful

    Well...
    As a software engineer they expect me to be a sysadmin.

    Seriously!
    Shell scripts have been known to be basically insecure for a long time. Why would you expose one to a web or network interface?

    Of course, that just leaves ssh, but at least some authentication SHOULD be required there.

  3. Use the bug to patch the bug by itamblyn · · Score: 4, Insightful

    If shellshock lets remote users execute arbitrary shell commands, should we just run a scan of the whole internet (https://github.com/robertdavidgraham/masscan), and issue apt-get update & apt-get upgrade? Use the bug to patch the bug?