Critical Linux, Unix, Mac security vulnerability found in bash shell
119 replies, posted
I did the tests on shellshocker.net
[QUOTE=Anderen2;46096084]The log he is posting a snip from is most probably /var/log/apache2/access.log
Also, to patch it just run "sudo apt-get update && sudo apt-get upgrade", the patch is in the repos.[/QUOTE]
I did this, and then did curl [url]https://shellshocker.net/fixbash[/url] | sh
The test commands seem to fail now. Am I good?
I updated and patched bash on Ubuntu 14.04 but it's still vulnerable to one of the exploits.
Great, did the apt-get update and apt-get upgrade stuff, and my site stopped working. The commands were telling me at least 25 packages failed to update for whatever reason and I didn't know how to fix that.
Plus, it was telling me a server restart was required when I logged into PuTTY. So I rebooted my VPS and now it seems to be taking forever to load back up.
Aaaand it's failed to come back up, and technicians have apparently been alerted to the issue. Wonderful.
[editline]edit[/editline]
Technician restarted, the site still doesn't work and best of all, my entire /home/ directory has been wiped. I had 4 TF2 servers, a Fistful of Frags server and a Minecraft server hosted in the /home/ directory and now that's all gone.
Did you have /home in a seperate partition? if so, then check if thats actually getting mounted.
Did you use the -f (Force) Flag in your update/install query? I hope not...
Why are you hosting shit from the /home/ directory?
One of the other forums I frequent is full of old unix people with beards and they're laughing at this.
[quote][code]$ sudo -s
# chmod -x /bin/bash
# ln -f /bin/ksh /bin/sh[/code]
fuggeddaboutit....[/quote]
[quote][quote]fuggeddaboutit....[/quote]
On linux this will likely break things badly. Remember that these kids have been thinking that sh = bash since they first licked a beige box.[/quote]
[img]http://dilbert.com/dyn/str_strip/000000000/00000000/0000000/000000/20000/1000/000/21021/21021.strip.print.gif[/img]
[QUOTE=kaukassus;46102603]Why are you hosting shit from the /home/ directory?[/QUOTE]
Nothing wrong with hosting game servers from the home directory. It's actually better to have them all in one place as it makes for easy organization and easy backup.
[QUOTE=GiGaBiTe;46102924]Nothing wrong with hosting game servers from the home directory. It's actually better to have them all in one place as it makes for easy organization and easy backup.[/QUOTE]
The /home/ dir is not meant to store server data.
[QUOTE=Anderen2;46096084]The log he is posting a snip from is most probably /var/log/apache2/access.log
Also, to patch it just run "sudo apt-get update && sudo apt-get upgrade", the patch is in the repos.[/QUOTE]
Shouldnt that have been dist-upgrade instead? Upgrade always wants to remove my kernel without installing a new one..
[QUOTE=SPESSMEHREN;46074066]Well that was quick. Just found this in my VPS's apache access log:
89.207.135.125 - - [25/Sep/2014:03:46:42 -0500] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 506 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
Appeared to target a cPanel CGI plugin that allows for remote code execution.
[editline]25th September 2014[/editline]
209.126.230.72 - - [25/Sep/2014:00:51:48 -0500] "GET / HTTP/1.0" 200 381 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"[/QUOTE]
Maybe I'm missing something but... [I]why would stuff like this hit the shell in the first place?[/I]
If you have to run stuff against the command line interpreter it's usually a really dirty hack as far as I'm concerned.
[QUOTE=UserNotFound;46101227]Great, did the apt-get update and apt-get upgrade stuff, and my site stopped working. The commands were telling me at least 25 packages failed to update for whatever reason and I didn't know how to fix that.
Plus, it was telling me a server restart was required when I logged into PuTTY. So I rebooted my VPS and now it seems to be taking forever to load back up.
Aaaand it's failed to come back up, and technicians have apparently been alerted to the issue. Wonderful.
[editline]edit[/editline]
Technician restarted, the site still doesn't work and best of all, my entire /home/ directory has been wiped. I had 4 TF2 servers, a Fistful of Frags server and a Minecraft server hosted in the /home/ directory and now that's all gone.[/QUOTE]
I was going to reply to your post a while back but didn't get around to it.. sorry. I was going to warn you that would happen if your VPS is OpenVZ. The only real way to upgrade Ubuntu from one version to another on OpenVZ is to backup your data and reinstall fresh.
[QUOTE=reeferdk;46103220]Shouldnt that have been dist-upgrade instead? Upgrade always wants to remove my kernel without installing a new one..[/QUOTE]
dist-upgrade causes the same problem on OpenVZ
[QUOTE=Flapadar;46104163]
dist-upgrade causes the same problem on OpenVZ[/QUOTE]
Isn't this because OpenVZ is only a container and has to rely on the Host's Kernel?
[QUOTE=kaukassus;46104261]Isn't this because OpenVZ is only a container and has to rely on the Host's Kernel?[/QUOTE]
I can't remember specifics - but I'd imagine that's a large factor. We've seen a large number of clients attempt dist-upgrade and the only thing possible was to grab files + reinstall
[QUOTE=Tamschi;46103960]Maybe I'm missing something but... [I]why would stuff like this hit the shell in the first place?[/I]
If you have to run stuff against the command line interpreter it's usually a really dirty hack as far as I'm concerned.[/QUOTE]
Unix.
[QUOTE=UserNotFound;46101227]Great, did the apt-get update and apt-get upgrade stuff, and my site stopped working. The commands were telling me at least 25 packages failed to update for whatever reason and I didn't know how to fix that.
Plus, it was telling me a server restart was required when I logged into PuTTY. So I rebooted my VPS and now it seems to be taking forever to load back up.
Aaaand it's failed to come back up, and technicians have apparently been alerted to the issue. Wonderful.
[editline]edit[/editline]
Technician restarted, the site still doesn't work and best of all, my entire /home/ directory has been wiped. I had 4 TF2 servers, a Fistful of Frags server and a Minecraft server hosted in the /home/ directory and now that's all gone.[/QUOTE]
How the hell is that even possible? Your entire server broke due to an upgrade? Something must be really weirdly setup there then. apt-get upgrade is equal to doing an Windows update. /home is not even touched, as it only contains user data.
[QUOTE=reeferdk;46103220]Shouldnt that have been dist-upgrade instead? Upgrade always wants to remove my kernel without installing a new one..[/QUOTE]
[QUOTE=Anderen2 (Before edit)]No, upgrade is "upgrade all my packages with the latest available for this release". dist-upgrade is "upgrade my distro release to the latest (Aka. Ubuntu xx.xx > 14.04)".[/QUOTE]
Actually I'm wrong, dist-upgrade is the same as upgrade except it also handles dependencies/libraries changes. upgrade only upgrades currently installed packages if possible without removing or installing anything else. dist-upgrade on the other hand will also resolve dependencies, ex. if new version of libXXX needs libYYY to work, but libYYY is not installed. Or if libXXX is in conflict with libYYY. In these cases upgrade will refuse to upgrade that exact package (To ensure no system install changes), while dist-upgrade will install or remove additional packages as it sees fit.
Upgrade upgrades everything, even the kernel. It should not remove anything else than old libraries not needed anymore if you run autoremove. It does not even remove the old kernel, it gets kept under Advanced options in grub.
[editline]29th September 2014[/editline]
[QUOTE=Flapadar;46104297]I can't remember specifics - but I'd imagine that's a large factor. We've seen a large number of clients attempt dist-upgrade and the only thing possible was to grab files + reinstall[/QUOTE]
Now I'm not that familiar with OpenVZ and how it works, but I've always used upgrade on my VPS under OpenVZ, most recently today when upgrading to a new Debian release. It have never created any issues.
Also, even if it will not boot, you can always mount the server image, chroot into it and remove what ever offending package making it unable to boot.
I believe some VPS hosts have their own mirrors of distro repositories that ignore kernel updates, for this very reason. Yours may be one of them.
[editline]29th September 2014[/editline]
I've never heard of OpenVZ incompatibility causing a mount point (let alone directory) to go missing though.
[QUOTE=DrTaxi;46106266]I believe some VPS hosts have their own mirrors of distro repositories that ignore kernel updates, for this very reason. Yours may be one of them.
[/QUOTE]
Does not seem so:
anderen2@nikkreasVPS:/etc/apt$ ll /proc/vz/veinfo
-r-------- 1 root root 0 Sep 29 19:58 /proc/vz/veinfo
anderen2@nikkreasVPS:/etc/apt$ cat /etc/apt/sources.list
deb [url]http://ftp.us.debian.org/debian[/url] wheezy main contrib non-free
deb [url]http://security.debian.org[/url] wheezy/updates main contrib non-free
[url=http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027]Aaaaand there's another one[/url].
[editline]29th September 2014[/editline]
dayssincelastshellshockpatch dot com
[QUOTE=DrTaxi;46106266]I believe some VPS hosts have their own mirrors of distro repositories that ignore kernel updates, for this very reason. Yours may be one of them.
[editline]29th September 2014[/editline]
I've never heard of OpenVZ incompatibility causing a mount point (let alone directory) to go missing though.[/QUOTE]
It shouldn't ever have caused data loss or a problem with mount points - the sole issues are boot problems and process problems (a common one I can think of is a client dist-upgrading ubuntu to 14.04, while it was able to boot it caused an update to rsyslog which attempts to (and fails to) log kernel messages utilising all available CPU until you comment out a line in the config)
[QUOTE=Anderen2;46105517]How the hell is that even possible? Your entire server broke due to an upgrade? Something must be really weirdly setup there then. apt-get upgrade is equal to doing an Windows update. /home is not even touched, as it only contains user data.[/QUOTE]
Here's the lackluster response I got from OVH tech support:
[quote]Dear Customer,
Could you please give us more details on the issue so we can help you. From the intervention done on your server, it stuck at the boot process, a technician had to press on S to skip the disk detection.
If you believe your hard drive is having any kind of hardware trouble, please run these few tests, and send us the results. Also, if you believe we should change a disk following these tests, please tell us at what time and date it would be preferable for us to proceed. Consider that the intervention can take up to 2 hours. If your drives are configured in a softraid you will need to re-synchronize the raid in order to restore your data onto the new drive, please follow this guide for assistance with this step [url]http://help.ovh.co.uk/RaidSoft[/url].
parted -l (fdisk will not detect GUID partition tables)
smartctl -a /dev/sda
smartctl -a /dev/sdb
cat /proc/mdstat
Regards,
Hien T.
OVH product Advisor[/quote]
So maybe the technician who rebooted my server's skipping of disk detection has caused the disk where my /home/ directory is to not be loaded up.
Thing is, I do want to reinstall Ubuntu 12.04 completely because my [url=http://www.unfgaming.net]website[/url] no longer loads up after I did "apt-get update && apt-get upgrade". As stated earlier, roughly 25 packages failed to be acquired/updated and I googled the error code provided but had no clue how to fix it, so I just rebooted my VPS (big mistake).
If I reinstall Ubuntu 12.04, will that wipe /home/?
[QUOTE=kaukassus;46103033]The /home/ dir is not meant to store server data.[/QUOTE]
Originally when I purchased this Kimsufi VPS from OVH, I had my server set up in /root/, and was running my server as "root". When I offered hosting to two other people, I switched to using /home/ because making new user accounts caused a new directory to be created in /home/ (i.e. "/home/usernotfound", "/home/archangel", "/home/awesomex"), and also started running my server under my user account instead of root.
I did want to get everything set up under "/var/www" so I could set up subdomains (awesomex.unfgaming.net for example) because of the inherit chance of something like this happening...I just never figured out how.
Where should I be running everything?
[QUOTE=UserNotFound;46107827]Originally when I purchased this Kimsufi VPS from OVH[/quote]
There are no VPS under the Kimsufi brand. What you have is a dedicated server, just a very cheap one.
[quote], I had my server set up in /root/, and was running my server as "root". [/quote]
Running [I]anything[/I] as root that doesn't absolutely need to is a terrible idea. It's a huge security risk.
[quote]If I reinstall Ubuntu 12.04, will that wipe /home/?[/quote]
That will wipe everything.
[quote]
I did want to get everything set up under "/var/www" so I could set up subdomains (awesomex.unfgaming.net for example) because of the inherit chance of something like this happening...I just never figured out how.[/quote]
You want to put your game servers in /var/www to give them subdomains? And this to protect your servers from going down/being wiped when your drives fail or you have some OS problem?
What.
[quote]Where should I be running everything?[/QUOTE]
Linux software is usually spread out over various subdirectories (such as /etc for configuration, /usr/lib for library code...), but you can't really do that with game servers. Putting them in a user's home directory is fine.
[QUOTE=DrTaxi;46108102]There are no VPS under the Kimsufi brand. What you have is a dedicated server, just a very cheap one.
Running [I]anything[/I] as root that doesn't absolutely need to is a terrible idea. It's a huge security risk.
That will wipe everything.
You want to put your game servers in /var/www to give them subdomains? And this to protect your servers from going down/being wiped when your drives fail or you have some OS problem?
What.
Linux software is usually spread out over various subdirectories (such as /etc for configuration, /usr/lib for library code...), but you can't really do that with game servers. Putting them in a user's home directory is fine.[/QUOTE]
Ignore my prior message, as in a huge fucking fluke, I somehow managed to remount the /home/ directory and regained access to everything I thought was lost.
[code]mount --options remount,rw /
mount --all[/code]
God bless those two commands. Backing everything up, reinstalling Ubuntu 12.04 fresh to fix my site not loading up. All is good!
...I hope you got a backup this time.
[QUOTE=DrTaxi;46108155]...I hope you got a backup this time.[/QUOTE]
S'what I'm doing right now. Backing up EVERYTHING, then reinstalling Ubuntu 12.04 (which should make my site load up again). This however means I may still be vulnerable to the Bash exploit, and since OVH tech support likes to reply to messages with horrible generated messages, getting them to fix everything for me is looking to be a pain in the ass.
Also yeah, I get VPS and Dedicated Server confused sometimes :v: And yeah, tis cheap. $40/month. I don't need to rely on monetary donations to get by which is nice.
[QUOTE=Anderen2;46105517]How the hell is that even possible? Your entire server broke due to an upgrade? Something must be really weirdly setup there then. apt-get upgrade is equal to doing an Windows update. /home is not even touched, as it only contains user data.
[/QUOTE]
Actually, an apt-get upgrade broke my old netbook, it was the last time I touch linux and then every time since I'e stared at my desktop and I'm more afraid of breaking it with Linux then I am with windows.
[QUOTE=UserNotFound;46109256]S'what I'm doing right now. Backing up EVERYTHING, then reinstalling Ubuntu 12.04 (which should make my site load up again). This however means I may still be vulnerable to the Bash exploit, and since OVH tech support likes to reply to messages with horrible generated messages, getting them to fix everything for me is looking to be a pain in the ass.
Also yeah, I get VPS and Dedicated Server confused sometimes :v: And yeah, tis cheap. $40/month. I don't need to rely on monetary donations to get by which is nice.[/QUOTE]
Why not Ubuntu 14.04? It is the new LTS release. If you want to use 12.04 that's no problem as it is supported until 2018, but it's mostly for companies which cannot upgrade, not new installations.
Also, you can also just "apt-get upgrade bash" if you do not want to upgrade the rest of your system, but if you never upgrade anything you will probably have many exploits which in combination could be much much worse than the bash one.
I still find it strange that your system broke due to an system upgrade though, are you running OpenVZ as people have been talking about? If so, even though I don't have that issue, it might be okay to blacklist the kernel from upgrades.
Sorry, you need to Log In to post a reply to this thread.