Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Shellshock Botnet Attacking Akamai, US DoD Networks

Posted by samzenpus on from the that-didn't-take-very-long dept.

Bismillah writes The Bash "Shellshock" bug is being used to spread malware to create a botnet, that's active and attacking Akamai and Department of Defense networks. "The 'wopbot' botnet is active and scanning the internet for vulnerable systems, including at the United States Department of Defence, chief executive of Italian security consultancy Tiger Security, Emanuele Gentili, told iTnews. 'We have found a botnet that runs on Linux servers, named “wopbot", that uses the Bash Shellshock bug to auto-infect other servers,' Gentili said."

5 of 236 comments (clear)

  1. quality reporting! 16.7 addresses! by Anonymous Coward · · Score: 5, Funny

    priceless excerpt: |The US DoD network in question is the 215.0.0.0/8 range, with approximately 16.7 addresses."

  2. Re:Confused. by wallsg · · Score: 5, Funny

    Italian? wopbot?

    I'm at a loss for words - other than that seems offensive, even for non-politically-correct me.

    That's only for the PC crowd. This is Linux.

  3. Re:Question about how this works by brantondaveperson · · Score: 5, Informative

    Rubbish. It certainly does not. It depends on inputs getting into environment variables which wind up eventually inside of bash. Which then goes "oh, look. code! I think I'll run that", and runs it.

    Thanks bash.

    Thash.

  4. Only the beginning by Solozerk · · Score: 5, Informative

    It's not the only botnet being constructed, see my comment here - already 653 exploited servers there right now.
    This is quite bad - as long as a bash CGI script is found by probing, exploiting only require putting a bash command in a header such as "Cookie:" for it to be executed. And this is only through HTTP - there are also aready other proof of concepts exploiting this through other bash-using services (DHCP servers for example).
    You can check if you've been scanned for exploitable CGIs using something like (adjust apache logs path accordingly):

    grep cgi /var/log/apache2/access*|egrep "};|}\s*;"

    And you can check if your bash is vulnerable using:

    env x='() { :;}; echo vulnerable' bash -c 'echo Testing...'

    If 'vulnerable' appears, it is.

  5. Re:Question about how this works by grcumb · · Score: 5, Informative

    inputs getting into environment variables which wind up eventually inside of bash.

    So we agree. Good-o.

    No, you twit. Bash will read the environment variables sent to it by CGI, which populates the environment parameters before you can sanitise the inputs. By the time you're ready to begin parsing and sanitising, the damage is already (potentially) done.

    The implications of this are far-reaching, and the only way to be reasonably secure is to patch the bash executable.

    --
    Crumb's Corollary: Never bring a knife to a bun fight.