Criminals broke into Yahoo servers through abuse of Bash bug

Spread the love

Malicious persons are said to have recently managed to break into Yahoo’s servers using the recently discovered bug in Bash. They may have also gained access to Lycos and WinZip using the same method, a security researcher claims.

The researcher, Jonathan Hall, discovered that alleged Romanian attackers had gained access to at least two Yahoo servers. To do this, they made use of a recently discovered vulnerability in the Bash shell, which makes it possible to execute malicious code. Presumably, the attackers used the bug to create a botnet of Unix hosts.

Hall found out about the attack after a script searched one of his servers for the presence of the Bash bug. He used a self-written exploit to then use Google to see which servers appeared to be vulnerable to the bug. Hall thus discovered that Lycos and the site of the popular archiving program WinZip were also affected. In the latter, he found a rogue Perl script in the cgi-bin-dir on one of the servers, which he identified as ha.pl.

Hall alerted the FBI and affected companies over the weekend. In the meantime, WinZip has patched the servers, the researcher said. In addition, Yahoo would also be closing the vulnerability. An employee informs Hall, who put a screenshot of the email contact online as proof.

The vulnerability in Bash, also known as Shellshock, came to light in the past month. It allowed attackers to put their own code in an environment variable, which would then be executed as soon as a system initiates a Bash session. Many applications rely on shell scripts and some of them can be accessed via the internet, for example cgi scripts.

Software developers squashed the bug in the Bash shell, which mostly affected Linux users, a few days later. That happened with two patches, after it turned out that the first was incomplete. Apple, which ships the Bash shell with OS X, is also coming with a patch. OS X users were not vulnerable by default, but only if they had configured “advanced” Unix services themselves, according to Apple.

You might also like