Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sun 25 Aug 2019, 02:05
All times are UTC - 4
 Forum index » Off-Topic Area » Security
White hat claims Yahoo and WinZip hacked by “shellshock” exp
Post new topic   Reply to topic View previous topic :: View next topic
Page 1 of 1 [3 Posts]  
Author Message
James C

Joined: 26 Mar 2009
Posts: 6734
Location: Kentucky

PostPosted: Wed 08 Oct 2014, 17:49    Post subject:  White hat claims Yahoo and WinZip hacked by “shellshock” exp  

White hat claims Yahoo and WinZip hacked by “shellshock” exploiters


A security researcher claims to have uncovered a botnet being built by Romanian hackers using the “Shellshock” exploit against servers on a number of high-profile domains, including servers at Yahoo and the utility software developer WinZip. Jonathan Hall, president and senior engineer of technology consulting firm Future South Technologies published a lengthy explanation of the exploits and his communications with the exploited on his company’s website this weekend and said that Yahoo had acknowledged finding traces of the botnet on two of its servers.

Hall found the botnet, he said, by tracking down the source of requests that probed one of his servers for vulnerable CGI server scripts that could be exploited using the Shellshock bash vulnerability. That security flaw allows an attacker to use those vulnerable server scripts to pass commands on to the local operating system, potentially allowing the attacker take remote control of the server. Hall traced the probes back to a server at WinZip.com. He then used his own exploit of the bash bug to check the processes running on the WinZip server and identified a Perl script running there named ha.pl.

After extracting the contents of the script, Hall discovered that it was an Internet Relay Chat (IRC) bot similar to ones used to perform distributed denial of service attacks on IRC servers. However, as he examined it more closely, he found that it “appeared to focus more on shell interaction than DDoS capabilities,” he wrote. According to Hall, it takes remote control of the server, while using its IRC code to report back to an IRC channel (called, creatively, #bash). The code was also heavily commented in Romanian
Back to top
View user's profile Send private message 

Joined: 23 Oct 2007
Posts: 1746

PostPosted: Fri 10 Oct 2014, 09:50    Post subject:  

Opinion: this is the more immediate threat for Puppy users, that some service they rely on out on the Internet will be compromised, not that anyone will attack their personal system.

Of course, if you leave your system unpatched long enough, then eventually someone will get around to exploiting the vulnerability. However, right now the threat comes from processes that don't even run on your machine. When you set up a secure socket connection with a remote server handling some sensitive transaction you can be fairly confident the encryption will prevent attacks on data in transit. What no encryption scheme can prevent is exploitation of a server at the end of the pipeline which has already been compromised, but not yet recognized as such.

While current operation of SSH uses public key cryptography to protect users without having all keys issued by a central authority, this still depends on a trusted authority which keeps track of the correspondence between public keys and named entities using them. We have all by now been exposed to the problem of people on the Internet not always being who they claim to be. Many have also discovered that data they thought kept secret by a well-known business had ended up in the hands of the last people they would trust. This phase of the problem is still very active, though so far, the results have not been dramatic. It appears the blackhats were also taken by surprise.

In addition to the serious problem of communicating with a server at the other end of the pipeline which is itself compromised we have another nasty possibility getting less attention at the moment. You tend to trust your ISP to perform some basic operations required to set up secure communication. If servers there are compromised it is quite possible you will fall victim to a "man in the middle" attack. Your secure socket to an uncompromised site may actually be connecting you to someone else who filters and alters your communication, then passes it along using another secure socket. There are more details to sort out to exploit this, but that is the basic idea. My recent experience with a local ISP indicates they are not exactly swift at resolving problems, even when these are not the result of hostile action. They are barely maintaining normal operations at the best of times.

The "long tail" of the vulnerability will come when Internet appliances with firmware seldom -- if ever -- updated, are used to break into poorly policed small networks. (Here's an example of one used to manage multiple systems on a business network. That vendor at least recognizes the need for a hotfix.) I can't tell you how many appliances have a cute web interface put together with shell scripts using bash. A major supplier like Cisco, whose main business is connected with routers, will probably do a good job of issuing updates for existing equipment, (which individual users of equipment may or may not apply). Smaller firms, for whom reputation for web security is less important are likely to abandon customers who bought older devices. Here's a recent article about the effect on "the Internet of Things".

Added: I've already gone a round with one person convinced they were not vulnerable because they "never pass strings from untrusted sources to run system commands without validating these". They were slow to catch on that having bash unintentionally reparse variable strings altered by users could allow a syntax error to execute new commands. False belief that you are not vulnerable will be a continuing problem.
Back to top
View user's profile Send private message 

Joined: 12 May 2008
Posts: 2017
Location: N.E. USA

PostPosted: Mon 13 Oct 2014, 15:52    Post subject:  

GRC is also reporting on cert-spoofing at major websites such as yahoo.

Details at https://www.grc.com/fingerprints.htm

Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 1 of 1 [3 Posts]  
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum

Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0346s ][ Queries: 11 (0.0059s) ][ GZIP on ]