Romanian hackers try to Shellshock Yahoo servers

By Juha Saarinen on Oct 7, 2014 6:32AM

Does not qualify for Bug Bounty awards.

Yahoo's network was compromised overnight by attackers attempting to exploit the Bash command line interpreter flaw, dubbed Shellshock, with some of the company's servers impacted and isolated.

A Yahoo spokesperson confirmed in a statement to SecurityWeek that the company had "no evidence of a compromise to our user data".

Head of New Orleans-based IT services company Future South, Jonathan Hall, said during research into whether Shellshock is actively being exploited, he discovered that Romanian hackers had used the vulnerability to gain access to Yahoo servers.

After the servers had been compromised, the Romanian hackers proceeded to build a botnet, Hall said.

He added that the attackers were working towards exploiting Yahoo's games servers.

Hall posted what he said are transcripts from Internet Relay Chat (IRC) log files, showing hackers having full root access to privileged parts of the systems and installing Perl scripts on the servers.

He also believed the hackers had infiltrated another search engine, Lycos, and the site of file archiving utility developer WinZip.

Hall said he contacted Yahoo and its chief executive Marissa Mayer about the hack but received no response initially.

"It was not until I contacted several media outlets and the FBI that they responded. Once they responded, they did confirm the servers were breached," Hall wrote.

Yahoo told Hall it had "found the tracks mentioned in your email and are working through our IR process."

Yahoo's security response team also suggested he file reports through Yahoo's Bug Bounty program, even though the issue he alerted on doesn't quality for awards under it.

iTnews has contacted Yahoo's security department for comment on the issue.

Update 8/10: Yahoo chief information security officer Alex Stamos confirmed on Hacker News that the servers in question along with a third machine were impacted by a security flaw.

While Stamos said an investigation showed the servers were not directly affected by the Shellshock vulnerability, attackers managed to trigger another bug while scanning for the Bash command line interpreter flaw.

"Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing intrusion detection and prevention systems or web application firewall filters," he said.

"This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs," Stamos said.

"Let this be a lesson to defenders and attackers alike: just because exploit code works doesn’t mean it triggered the bug you expected!"

Stamos said the servers had been patched twice for Shellshock before the Hall's report, and they did not store any user data.