back to article Shellshock: 'Larger scale attack' on its way, warn securo-bods

The Shellshock vulnerability has already become the focus for malicious scanning and at least one botnet but crooks are still testing the waters with the vulnerability and much worse could follow, security watchers warn. Net security firm FireEye said it has seen all manner of overtly malicious traffic leveraging the Bash bug …

  1. Anonymous Coward
    Unhappy

    We're all going to die!!!!!!

    1. Destroy All Monsters Silver badge

      Lord Keynes, please!

    2. Anonymous Coward
      Anonymous Coward

      Quick - patch them all with Windows Server!!!!

  2. channel extended
    Linux

    Windows vs Linux

    Found another hole in Windows 1 of 10,000. HoHum.. Another Day Same Sh!t.

    Found a hole in a part of the Linux ecosystem. PANIC! Panic! We're all gonna die!! The terrorist are winning!! Hackers are going to steal ALL our data!! Yahoo! Had! A! Sale! On! Exclamation! Points!

    1. Brewster's Angle Grinder Silver badge

      Re: Windows vs Linux

      This isn't another "hole" in the fence; it's open back door into every vulnerable system.

      1. Anonymous Coward
        Anonymous Coward

        Re: Windows vs Linux

        > every vulnerable system.

        Soooo...nothing based on the Debian stack then. Or BusyBox. Or... Unlike Windows, Linux enjoys centralised management for *ALL* software (not just MS). As the patches now flow, they should get applied quickly.

        Also the firewall rules will get a tweak to filter out attempts.

        Like Y2k, this /could/ be a problem but it /won't/ be as the work is getting done.

        1. Anonymous Coward
          Anonymous Coward

          Re: Windows vs Linux

          "As the patches now flow, they should get applied quickly."

          Uhm yeah - and by the 4th or 5th go they might have a patch that actually works.

    2. Anonymous Coward
      Anonymous Coward

      Re: Windows vs Linux

      That's because only an idiot trusts Windows to do real work. When it get compromised, it's annoying; if Linux gets compromised, that's a potential disaster as that's where the business gets done.

      1. Anonymous Coward
        Anonymous Coward

        Re: Windows vs Linux

        "When it get compromised, it's annoying; if Linux gets compromised, that's a potential disaster as that's where the business gets done."

        Strange that 75% of the x86 server market is Windows then (as per Forbes)....there must be a lot of idiots out there. Or perhaps you are the idiot....

        1. Chairo
          Happy

          Re: Windows vs Linux

          @AC

          Strange that 75% of the x86 server market is Windows then (as per Forbes)....there must be a lot of idiots out there. Or perhaps you are the idiot....

          I would up-vote you for realizing that there are many idiots out there, but I would have to down-vote you at the same time for implying one of them could be a fellow commentard.

          1. Stuart 22

            Re: Windows vs Linux

            But I bet that 20% of the servers are doing 80% of the work. And most of those public facing ones are running Linux methinks.

            Still patched mine within minutes of release (Linux repositories are a great way of getting stuff fixed fast). And had I not then the default setting on my WHM/cPanel setup would have done it within hours. That covers a substantial section of the vulnerable systems for starters.

            Nothing is foolproof but the odds (and that's the important issue here) is that with open systems problems can be verified fast and we are not reliant on one actor, who has other considerations, to fix it. Panics are good so everyone can be see the problem and see the fix. And sort it if it isn't really a fix.

        2. Anonymous Coward
          Anonymous Coward

          Re: Windows vs Linux

          "Strange that 75% of the x86 server market is Windows then (as per Forbes)....there must be a lot of idiots out there. Or perhaps you are the idiot...."

          Oh there's idiots all right; one of which is you! No public link (I can't find any Forbes analysis of OS market share) and you are off by a factor of 2.

          https://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Servers_on_the_Internet

  3. Nate Amsden

    run for the hills!

    or not, yawn. this bug is overrated

    1. Brian Miller

      Re: run for the hills!

      One of the things that drives me really nuts is that a server is not supposed to be using Bash for its system accounts. And yet X number of numpties have set the systems up that way. Bourne, and its alternate, Dash, don't offer the attack surface that Bash does, and are the defaults. So whoever is getting pwned by this bug had to go and work their way around a large number of security practices, any one of which would have mitigated the problem.

      1. elip

        Re: run for the hills!

        You *do* realize that most of us enterprisey Linux shops run a non-Debian based distro? Sane admins don't eff around with the default system shell or the root account's environment for that matter.

      2. Destroy All Monsters Silver badge
        Thumb Down

        Re: run for the hills!

        > a server is not supposed to be using Bash for its system accounts

        Care to explain why?

        "I'm so secure I shit bricks, my CPU only runs NOPs"

        1. HankMoody

          Re: run for the hills!

          Because giving a service account a default shell widens your attack vector. In most commercial Linux distros system accounts are created to run services/applications. You never want to give a system account a shell to interact with because it doesn't need it.

          The default shell is generally /sbin/nologin or /bin/false. There are subtle differences between the two options but the end result is you cannot interactively login with an account setup this way. Applications are generally started and stopped via init or systemd so the system account having a shell is not necessarry.

          If you're remediating this vulnerability the first thing you should do is figure out what services your running that could be vulnerable to this exploit, make the necessarry configuration changes to fix those issues then move onto applying the patches for whatever distro you're using. The reason applying the patches is last on the list is because they are still trying to figure out what to do to solve this vulnerability.

  4. present_arms

    If they can't be arsed to update bash and associated libraries that's their look out.

    1. FrankAlphaXII

      Well if you have networking infrastructure, like a cable modem or router that uses Linux and for some stupid reason uses bash as its shell (why they'd do that is beyond me, but I know a few products that do) you may not ever get an update for it because the manufacturers for the most part are pretty piss poor about firmware updates as it is.

  5. Dan Paul

    The problem is...

    when you have a "hole" in servers and routers and embedded systems, it's a lot more serious than a windows trojan.

    Some of these systems run some pretty critical infrastructure that I won't advertise to the "Russian Business Network".

    If I were in charge of that infrastructure, I would be running around disconnecting them from the outside world. Failing that, a hot glue gun should fill a lot of ethernet ports.

    1. Anonymous Dutch Coward

      Re: The problem is...

      I appreciate your sentiments but...

      If you were running that infrastructure, why would you allow access to those routers and embedded systems in the first place? Using things like management VLANs, VPN, SSH and doubtlessly more modern stuff I haven't kept up with?

      Ok, critical web server with CGI+bash vulnerability I can understand...

      1. vagabondo

        Re: The problem is...

        "Ok, critical web server with CGI+bash vulnerability I can understand..."

        Can someone please explain a scenario where a production web server would need CGI plus any shell? I just cannot envision the need for a web server to run under an account with a login or shell, or for a CGI program to have to call a shell. If admins need a CLI shell for maintenance then the shell could be made executable only by the "wheel" group or equivalent (maybe "users" on a shared hosting platform, but certainly not mysql, wwwrun, etc.).

        1. Synonymous Howard

          Re: The problem is...

          Bash is not just a CLI shell as such .. its a scripting language processor (like Ruby, Perl, etc). So for example, you could call other applications from within, say, PHP ...

          http://www.devx.com/opensource/Article/40785

          [interesting that particular link talks about bash on Windows 8-]

    2. eulampios

      Do not exaggerate

      >>when you have a "hole" in servers and routers and embedded systems, it's a lot more serious than a windows trojan.

      It's true, but only provided those routers and embedded systems do have it. Most probably they don't. Even if they do, they have to allow the shell to take input from the outside world to be vulnerable. As for the the servers and other systems, the only rightful real problem is the dhclient-script and a slim chance that neighbor's/random wfif router you happen to connect is waiting there for you.

      Any shell language used for cgi really deserves all the current consequences. Those who survive this, will be taught a good lesson .. one hopes.

      Now let's compare it with Windows worms, like Conficker, Loveletter?

      And BTW, here's even my LMDE system ( which is usually a bit slower than the others) received the latest update now

  6. Anonymous Coward
    Anonymous Coward

    Attacks don't matter much

    How many live servers have actually been captured? That's the important number.

    My home SMTP server was attacked over a million times in one year in the 00's, but none of them got through.

    1. elip

      Re: Attacks don't matter much

      At the current time its *only* about 70,000 machines...yeah, you're right, who cares!

      1. Anonymous Coward
        Anonymous Coward

        Re: Attacks don't matter much

        "At the current time its *only* about 70,000 machines...yeah, you're right, who cares!"

        Correct. I don't give a toss. Probably 100 times that number of apache sites have been attacked in the same period. Do you care? It's meaningless.

      2. JEDIDIAH
        Linux

        Re: Attacks don't matter much

        It's 70K machines that have been attacked. Not 70K machines that have been compromised.

        World of difference there.

  7. gerryg

    Trend Micro...

    ...appears to be some kind of Microsoft shop

    just saying

  8. banjomike

    Some of the suspicious activity seems to be originating from Russia.

    Well, that is a shock...

  9. heyrick Silver badge
    Alert

    Some of the suspicious activity seems to be originating from Russia.

    You know, that statement still holds true if there have been a thousand attacks....and five of them from Russia. Maybe.

    Put a percentage on it or STFU.

  10. Anonymous Coward
    Anonymous Coward

    hype

    As time goes by it is slowly but surely becoming apparent that too many yellow journalists/ bloggers and security companies dying for publicity have in effect been "Chicken Little" claiming the sky is falling.

    All these Bash shell one liner tests are idiotic. I can run 'rm -rf *' in my bash shell and destroy my computer - that doesn't prove its vulnerable. The fact is that a hacker would have to find an injection point. This BASH issue provides no such injection point - it can only be "used" once an injection point is found.

    When you delve into expert forums and really learn about this issue - its pretty much a "patch and move on" feeling. Far short of the Chicken Little scenarios posted by the clueless reading other clueless inflamed posts

    1. diodesign (Written by Reg staff) Silver badge

      Re: hype

      "The fact is that a hacker would have to find an injection point."

      Which are really easy to find. But you're right: patch and move on. If you can patch, that is. And if you've patched in time.

      C.

      1. handledadog

        Re: hype

        "Which are really easy to find. But you're right: patch and move on. If you can patch, that is. And if you've patched in time"

        Then your using the wrong distro - let me guess: Redhat?

        All our machines were patched within minutes of the releases days ago.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like