Hackers exploit Shellshock bug, compromise Yahoo, WinZip servers

A group of hackers has successfully leveraged the recently discovered Bash Shellshock vulnerability to compromise a number of servers belonging to Yahoo, Lycos and Winzip, and are using them to probe for other potential victims.

The claim has been made by Jonathan Hall, a self-confessed former black hat hacker who is now an engineer, security researcher and consultant.

Since the revelation of the existence of the bug, he has been researching the possibilities of its exploitation but, after a while, he was also curious to see who is trying to exploit it in the wild.

“I noticed in my logs that a box was probing me in search of common scripts in my cgi-bin directory that people around the web have discussed are ‘vulnerable to the shellshock vulnerability’,” he noted. “The box that was probing me was actually a server on the winzip.com domain.”

The server was obviously compromised, and further investigation revealed a perl script in its cgi-bin directory and an IRC DDoS bot running on it. According to him, the attackers didn’t use its DDoS capabilities, but were more interested in shell access.

“I killed the perl script off and notified both WinZip and the local FBI office of the compromise,” he says, and notes that the compromised server “was one of their ‘store’ boxes, which serves as a payment gateway for WinZip purchases.”

By monitoring the IRC channel to which the bots on the servers compromised and equipped with the same perl script are forced to check in to, he discovered that the attackers have also compromised servers belonging to Lycos and Yahoo.

The attackers comment in Romanian, and have apparently totally “pwned” two Yahoo servers through which they are trying to gain access to the rest of the company’s network.

Hall says that they are working towards compromising the Yahoo! Games servers, and posits that it is because they are visited by millions of users each day – users who have Java installed on their computers in order to be able to play – and whose vulnerable Java installations can be easily exploited.

Hall alerted all the companies and the FBI about the things he discovered. The FBI has promised to look into it.

Of the three companies, he heard back only from Yahoo – a member of the company’s threat response team confirmed that they found the evidence of compromise he described on the servers in question.