A major vulnerability has been found in the Bourne Again Shell (BASH) that it installed on most UNIX-based systems and this can be used to execute arbitrary code on vulnerable servers.
This vulnerability has been named “Shell Shock” and has been compared to the Heartbleed vulnerability in terms of its seriousness.
We strongly advise everyone who administers or uses a Linux/UNIX/OS X system to update their systems to the latest patched version of BASH that removes this vulnerability.
A severe vulnerability has been found in the OpenSSL library, widely used in UNIX-based web servers to implement support for Secure Sockets Layer (SSL) and Transport Layer Security (TLS) that underpins all encrypted web browsing. Every time you access a URL with the “https://” prefix, you are using SSL or TLS.
OpenSSL versions 1.0.1 (released December 2011) to 1.0.1f are affected, with the vulnerability fixed in 1.0.1g.
The vulnerability allows an attacker to read up to 64kB of memory contents on the server. This can potentially expose privileged information including secret keys that underpin the encryption. An attack is especially dangerous as it leaves no trace in system logs.
The vulnerability has been nicknamed “Heartbleed”, as the bug is present within the heartbeat functionality of OpenSSL. The following popular Linux/BSD distributions are known to be affected:
Debian Wheezy, Ubuntu 12.04.4, Centos 6.5, Fedora 18, SuSE 12.2, OpenBSD 5.4, FreeBSD 8.4, and NetBSD 5.0.2
If you are running one of these or a derivative, update your OpenSSL immediately to OpenSSL 1.0.1g, which can easily be done using standard package management tools e.g. yum and apt-get. After that, restart your web server.
To check if your web site or web server has the Heartbleed bug, you can use this online Heartbleed test tool:
For more information:
In recent news, a number of Linux web hosting servers have been infected with a rootkit that has comprised the Secure Shell Daemon (SSHD). User login details are being captured and sent to servers controlled by cyber criminals. It has been reported that the cyber criminals are then logging into the comprised servers using the captured account details and using the servers to send spam or turn them into botnet nodes.
Based on what I have read at this point in time, the exploit mechanism used to install the rootkit has not been clearly identified. Some web hosts are temporarily disabling remote SSH access as a preventive measure.
If you are using Linux-based Web Hosting, you hosting server is likely to be infected if any of the following files exist:
Most infected servers have been running cPanel and CentOS, but there are also reports of infections on servers running DirectAdmin, Plesk and non-RHEL based Linux distributions.
If your hosting server is infected, you should:
- Immediately log out of any SSH sessions
- Change your password using cPanel or any alternative online mechanism offered by your service provider
- Notify your web host’s support staff
Do not log into your hosting server via SSH until support staff tell you it is safe to do so.
For more information, check out the following:
CloudLinux – SSHD Rootkit
Web Hosting Talk – SSHD Rootkit Rolling around
Details about this incident are incomplete, but it appears that Yahoo!Xtra in New Zealand experienced a security incident resulting from using an old version of WordPress that had not been updated in a long time.
This is another lesson to everyone on why you should ensure that you regularly update your WordPress installation and all your plugins.
For more information, here are some links:
SmartCompany – Yahoo! hacked in New Zealand through WordPress vulnerability
Seclists – Re: XSS vulnerability in swfupload in WordPress
ThreatPost – Yahoo Mail Breach Linked to Old WordPress Vulnerability