Mean Servers urges all dedicated server and virtual private server customers to run a system update immediately. A critical bash vulnerability has been found that affects ALL LINUX BOXES. At this time, all customers with managed services, both on-network and off-network have had their systems patched. This is an additional patch to the one that was issued last week and fixed additional vulnerabilities the first patch did not. It is highly recommend you apply this patch immediately and if you did not apply the previous patch, it is critical to apply this one.

If you have an unmanaged dedicated server or virtual private server you must perform this security update yourself or contact Mean Servers for a one-time security lockdown fee or to upgrade to a managed plan.

To perform the upgrade yourself, please login to your machine as root and run the following:

RedHat/CentOS/RHEL based distros:

yum update

Debian/Debian based distros:

apt-get update

Then follow the on screen prompts to complete the upgrade processes. Depending on when your system was last updated, you may have additional upgrades waiting as well.

Mean Servers recommends keeping your system updated on a regular basis, this ensures exploits that are found are closed and that your system is optimized so you can utilize your machine to it's fullest. Mean Servers offers different levels of managed services as well starting at just $29/mo to give you peace of mind and help keep your data, users, and customers safe. Contact our sales team today to inquire about our managed services.


From:
 http://www.csoonline.com/article/2688716/vulnerabilities/attacks-against-shellshock-continue-as-updated-patches-hit-the-web.html

From Thursday on, several security firms reported a drastic uptick in the number of attacks that leverage the recently disclosed vulnerability in GNU Bash (CVE-2014-6271), widely known as Shellshock.

On Friday, Alien Vault labs reported that the flaw was being used by two attackers to install two different pieces of malware on the victim system. One of the malicious payloads will join the victim's system to a botnet, which based on the traffic in the IRC channel, is likely ran by a group out of Romania. The other payload fingerprints the victim's system and opens a backdoor, enabling remote access.

Security firm Incapsula reported that they've observed more than 17,000 attacks (an average of 725 attacks per hour) since Shellshock was disclosed on Wednesday.

In a blog post, the company says that more than 1,800 domains have been targeted, and the origin of these attacks are scattered between 400 IP addresses. A majority of the attacking IP addresses are assigned to systems in China and the U.S.

"What we are seeing here are hacker using existing botnets to create new ones: running automated scripts from compromised servers to add more hijacked machines to their flock. During the last 24 hours we saw several botnet shepherds using repurposed DDoS bots in an attempt to exploit Shellshock vulnerability to gain server access," Incapsula's post explained.

Researchers at Trend Micro have documented several attacks since Friday, including the botnet attack discovered by Alien Vault and Incapsula. Later in the day, they also detected a DDoS attack from servers that appear to have been compromised by Shellshock (based on the code running on them). Furthermore, Trend also disclosed that several official institutions in Brazil were being targeted by scanners that were looking for Shellshock-related openings.

"It does not seem to have any real payload or doing any real damage, however, only taking what appears to be information about the systems it’s trying to infiltrate – but in the world of cybercrime and cyber attacks, that may change soon enough. We believe that the information-gathering could be a sign of preparation for a bigger, much more damaging attack," Trend said of the scans in Brazil.

On Saturday, FireEye released details on several proof-of-concept scripts related to Shellshock, which in theory would allow an attacker to perform a number of tasks including, click fraud, establishing a reverse shell (with or without Perl), email reconnaissance, capturing the system's /etc/passwd (password) file, botnet creation (several variants), and UDP floods.

"We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it’s only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise," FireEye wrote.

When the Shellshock vulnerability was disclosed on Wednesday, nearly all of the Linux / UNIX distributions released fixes that would correct the problem. However, researchers quickly determined that they were incomplete, leaving patched systems exposed to variations on the original attack vector.

This led to the publication of four additional CVE advisories (CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, and CVE-2014-6277), but administrators and system operators are encouraged to update GNU Bash with all of the latest fixes and to apply additional patches as they are released. So far, there have been three updates to GNU Bash since the problem was publicly disclosed.

Finally, Apple addressed Shellshock in a statement this weekend, noting that a "vast majority" of OS X users were not at risk because OS X systems were "safe by default and not exposed to remote exploits of [GNU Bash] unless users configure advanced UNIX services."

For those with advanced services enabled, Apple is working on an update.



Monday, September 29, 2014





« Back