Critical Linux, Unix, Mac security vulnerability found in bash shell
119 replies, posted
Yeah nah, it ain't working for me...
[img]http://i.imgur.com/KmnLQ9U.png[/img]
:v:
[QUOTE=SPESSMEHREN;46078096]Someone once ran a bot against my server that looked to see if the web root directory happened to be in a user's home directory, and scanned for Bitcoin, Litecoin, and Dogecoin wallets. I made a wallet.dat file and wrote "HAHAH, FUCK YOU SKIDDIE" in it, if the bot ever comes back. :v:[/QUOTE]
The worst thing is, that person probably found at least one wallet if they scanned the entire Internet. People are dumb.
[QUOTE=01271;46075107]What about things like PHP-FPM, (it's a CGI). running on nginx, would that be at risk?[/QUOTE]
It's different, nginx uses FastCGI instead of plain GCI, the name might be similar but they're implemented entirely different.
[QUOTE=pentium;46074555]Talked to my unofficial SGI rep and it seems that I'm in the green unless:
-If you use a bash script for CGI
-If you've replaced /bin/sh with bash
Neither apply on me so I'm okay.[/QUOTE]
Can't speak for the first one but for the second, all they have to do is replace "sh" with "bash" and they can still get in.
good thing im using windows server for old video game servers [sp]fucking kill me please oh god[/sp]
[QUOTE=Dog;46080491]good thing im using windows server for old video game servers [sp]fucking kill me please oh god[/sp][/QUOTE]
It's ok the last government job I had featured me trying to get the Windows Indexing Service working on Server 2008 so they could use it for their file searches. You do not know true pain until you've had to use that piece of shit.
As for Linux problems, the retards running ACF (the GMOD combat framework) used to have some files capitalized and some not, and would reference their filenames any which way they pleased. It meant if you wanted to host it on Linux you had to crawl through the fucking files and rename them/change all references to lowercase. They refused to fix this for months because "it's not a big deal" even though most server hosts ran off Linux boxes.
[QUOTE=FlakAttack;46080724]It's ok the last government job I had featured me trying to get the Windows Indexing Service working on Server 2008 so they could use it for their file searches. You do not know true pain until you've had to use that piece of shit.
As for Linux problems, the retards running ACF (the GMOD combat framework) used to have some files capitalized and some not, and would reference their filenames any which way they pleased. It meant if you wanted to host it on Linux you had to crawl through the fucking files and rename them/change all references to lowercase. They refused to fix this for months because "it's not a big deal" even though most server hosts ran off Linux boxes.[/QUOTE]
We have a user that index close to 200 gigs worth of excel sheets and uses the windows search to search the contents of them. It breaks constantly and she refuses to import the spreadsheets into access.
[QUOTE=ArcticRevrus;46080759]We have a user that index close to 200 gigs worth of excel sheets and uses the windows search to search the contents of them. It breaks constantly and she refuses to import the spreadsheets into access.[/QUOTE]
As a database maintainer, this is why I drink.
[QUOTE=Sam Za Nemesis;46078390]Most cyberattacks reportedly comes from america[/QUOTE]
All IPs trying to log into my vps root resolve either Russia or China. Maybe they're controlled by Americans but the ips doing it are chinese.
[QUOTE=FlakAttack;46080176]Can't speak for the first one but for the second, all they have to do is replace "sh" with "bash" and they can still get in.[/QUOTE]
You're referring to the way to check whether your bash version is vulnerable.
Someone posted a command that would produce a false negative on systems where /bin/sh is not bash, but bash is the shell used to execute the command.
What /bin/sh is on your system isn't directly relevant, what matters for exploitability is whether the shell spawning a subshell (e.g. what your webserver is running under) and the command executed by it (e.g. the shebang of your CGI script) or any command executed under that (e.g. a system() call in your script that spawns a shell) are both bash.
If you run apache in bash, and your CGI script is run in bash, what /bin/sh is is completely irrelevant. But that's controlled by you, not the attacker.
My old Sun support agent (again, a retired guy with a beard) says that Sun repeatedly questioned clients on why they needed to use bash and went out of their way to prevent it from being used.
Mark all SPARC machines running up until Solaris 10 as "pretty much immune".
It would appear that Redhat/CentOS has properly patched it this morning.
[url]https://access.redhat.com/articles/1200223[/url]
Remember, if you've updated and want to test to see if the second exploit works to make sure you don't have left overs of a previous test. The second exploit creates a file called "echo" in whatever folder you're in with the date in it.
Has anyone on Debian Jessie gotten an update for CVE-2014-7169?
[QUOTE=Revenge282;46084162]Has anyone on Debian Jessie gotten an update for CVE-2014-7169?[/QUOTE]
So far seems to not be fixed. Probably avoid using Bash until it blows over, or make sure no outward-facing systems are using Bash, or that Bash is not the primary shell. Usually in Debian, /bin/sh is symlinked to dash.
We kinda have to use Windows for our server at the moment, it's not like we can run half the games we're hosting on linux. I mean we can host separate parts of our server on linux and just the games on windows but for such a small group it doesn't really seem worth it
Apache log:
[img]http://imagizer.imageshack.com/img912/8066/GrSr01.png[/img]
Am I in trouble? Why? My website isn't used by ANYONE.
[editline]27th September 2014[/editline]
can I even trust my server? should I just destroy it and start over?
ugh
That means someone is [b]attempting[/b] to use the exploit on you.
As long as "/bin/ping -c 1 <IPaddr>" or similar commands are all that are appearing, you're in the clear (since the attackers would realize you're not vulnerable).
[QUOTE=bitches;46086751]Apache log:
[img]http://imagizer.imageshack.com/img912/8066/GrSr01.png[/img]
Am I in trouble? Why? My website isn't used by ANYONE.
[editline]27th September 2014[/editline]
can I even trust my server? should I just destroy it and start over?
ugh[/QUOTE]
It's nothing personal. They're scanning every IP in the IPv4 address space, so basically the entire internet.
[QUOTE=lavacano;46087224]That means someone is attempting to use the exploit on you.
As long as "/bin/ping -c 1 <IPaddr>" or similar commands [B]are that are (????)[/B] appearing, you're in the clear (since the attackers would realize you're not vulnerable).[/QUOTE]
Could you elaborate? I'm not sure what you mean.
That was the only line in my apache log that was suspicious, but I don't know what else to check.
[editline]27th September 2014[/editline]
as far as I know by the various testing methods, I am vulnerable?
It has been being exploited since like whenever.
I shut down as soon as I knew, but that was twelve hours into this dealio.
[QUOTE=bitches;46093311]Could you elaborate? I'm not sure what you mean.
That was the only line in my apache log that was suspicious, but I don't know what else to check.
[editline]27th September 2014[/editline]
as far as I know by the various testing methods, I am vulnerable?[/QUOTE]
i accidentally a word
that's supposed to say "are [u]all[/u] that are"
But how do they figure that I'm not vulnerable? The date tests and whatnot suggest that I am. Or is the case that they were collecting vulnerable IPs with plans on doing more at a later date?
what I'm really asking is: should I just update my server, or do I need to nuke everything and start over?
It's just a probe, they haven't gotten into your server (most likely)
And if you're not running anything vulnerable (CGI, etc.) then they wouldn't be able to get in.
[QUOTE=Natrox;46074191]209.126.230.72 - - [24/Sep/2014:22:58:18 -0400] "GET / HTTP/1.0" 200 902 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
Same here.[/QUOTE]
Where do you find your Apache logs on an Ubuntu 12.04 distro?
Also, how do I patch this?
[QUOTE=bitches;46094240]But how do they figure that I'm not vulnerable? The date tests and whatnot suggest that I am.[/QUOTE]
The data tests? You mean the fact that these accesses show up in your log?
Some people are trying this on literally every host on the IPv4 Internet, everyone who runs a webserver has a couple of these attempts in their logs. It's no indication that the attempts were actually successful against you.
[QUOTE] Or is the case that they were collecting vulnerable IPs with plans on doing more at a later date?[/QUOTE]
That script pings their server if executed, meaning they're collecting vulnerable IPs. Most likely for statistics, or plain curiosity, as you could just include your malicious code in the first round if you were trying to take control of systems.
[QUOTE=UserNotFound;46094507]Where do you find your Apache logs on an Ubuntu 12.04 distro?
Also, how do I patch this?[/QUOTE]
The log he is posting a snip from is most probably /var/log/apache2/access.log
Also, to patch it just run "sudo apt-get update && sudo apt-get upgrade", the patch is in the repos.
[QUOTE=Anderen2;46096084]The log he is posting a snip from is most probably /var/log/apache2/access.log
Also, to patch it just run "sudo apt-get update && sudo apt-get upgrade", the patch is in the repos.[/QUOTE]
Hmm, I've been noticing messages about running apt-get upgrade when I log in via PuTTY, but I never touched that stuff for fear of screwing up my VPS.
Guess I should finally run it...oh wait, I just logged in to check the messages:
[quote]309 packages can be updated
201 updates are security updates
New release '14.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it[/quote]
I'd upgrade to 14.04 but I'm running 12.04.2 LTS as I heard bad things about 14.04.1 when I first bought this VPS. I'm also running some TF2 servers, a Fistful of Frags server and a Minecraft server off of this thing, and I don't want to have future troubles with 14.04 resulting in a downgrade. I've had this VPS for close to a year and have never upgraded a thing.
Should I upgrade to 14.04? Also how do I check these 309 updatable packages.
[editline]edit[/editline]
Running that update/upgrade command updated most of the updatable packages and removed the message from the screen. However, 25 of them failed to install due to "E: Sub-process /usr/bin/dpkg returned an error code (1)". I've Googled that and am looking into it now.
[QUOTE=UserNotFound;46097310]Hmm, I've been noticing messages about running apt-get upgrade when I log in via PuTTY, but I never touched that stuff for fear of screwing up my VPS.
Guess I should finally run it...oh wait, I just logged in to check the messages:
I'd upgrade to 14.04 but I'm running 12.04.2 LTS as I heard bad things about 14.04.1 when I first bought this VPS. I'm also running some TF2 servers, a Fistful of Frags server and a Minecraft server off of this thing, and I don't want to have future troubles with 14.04 resulting in a downgrade. I've had this VPS for close to a year and have never upgraded a thing.
Should I upgrade to 14.04? Also how do I check these 309 updatable packages.
[editline]edit[/editline]
Running that update/upgrade command updated most of the updatable packages and removed the message from the screen. However, 25 of them failed to install due to "E: Sub-process /usr/bin/dpkg returned an error code (1)". I've Googled that and am looking into it now.[/QUOTE]
You could just backup all essential data, upgrade, and if upgrading fails, ask your provider to upgrade it (100% loss of data unless backed up), and then restore the required data from backup and continue as planned.
Sorry, you need to Log In to post a reply to this thread.