It is currently 29 Mar 2024, 01:38




 Page 1 of 1 [ 7 posts ] 
Author Message
 Post subject: After Heartbleed... comes Shellshock
PostPosted: 29 Sep 2014, 16:33 
Site Admin
Site Admin
User avatar

Joined: 07 Aug 2002, 23:37
Posts: 4540
Location: Tokyo
Has thanked: 292 times
Been thanked: 1136 times
SSL bleeding information was already a bad thing:

http://en.wikipedia.org/wiki/Heartbleed

... but casual/trivial ways of taking partial control of a remote server is borderline of evil.

http://en.wikipedia.org/wiki/Shellshock_(software_bug)

The first Shellshock probe came at 2014-09-24 23:18:09 UTC, within mere hours of the security issue announcement.
The first serious attack came at 2014-09-25 16:23:56 UTC. I suppose this is the time it took for Skynet to become self-aware ;)

Luckily, since I'm living in Singapore and waking up earlier than most of the planet, I patched bash (twice) on time before the attacks started:

Quote:
2014-09-24 17:32:56 UTC
bash:amd64 (4.2+dfsg-0.1, 4.2+dfsg-0.1+deb7u1)
2014-09-27 02:52:36 UTC
bash:amd64 (4.2+dfsg-0.1+deb7u1, 4.2+dfsg-0.1+deb7u3)


So far about 120 crafted requests arrived of which 2/3rd were real attacked (others were probes by security firms or online testing tools).

We're fine so far but I will keep monitoring the situation in the coming days.

Julien
_________________
HARDWARE DATABASE
HLD-X0/9 LD-S9 OPPO 105/205 SL-1200G
LDD-1 MSC-4000 R2144 PONTUS II C45 MC257
Offline
 Profile  
 
 Post subject: Re: After Heartbleed... comes Shellshock
PostPosted: 29 Sep 2014, 17:05 
Site Admin
Site Admin
User avatar

Joined: 07 Aug 2002, 23:37
Posts: 4540
Location: Tokyo
Has thanked: 292 times
Been thanked: 1136 times
To anticipate any further attack vector using similar loopholes, I put in place a rather strict blacklist policy that will block any IP trying something similar to a Shellshock attack for 1 month.

Don't try to test the site for vulnerability of you will have to wait for a while before you can check your private mailbox again!

Julien
_________________
HARDWARE DATABASE
HLD-X0/9 LD-S9 OPPO 105/205 SL-1200G
LDD-1 MSC-4000 R2144 PONTUS II C45 MC257
Offline
 Profile  
 
 Post subject: Re: After Heartbleed... comes Shellshock
PostPosted: 29 Sep 2014, 19:57 
Absolute fan
Absolute fan
User avatar

Joined: 11 Jun 2008, 06:10
Posts: 1617
Location: Milky Way-Sol System-Terra-USA-North Carlolina.
Has thanked: 561 times
Been thanked: 238 times
Thank you for your vigilance Julien, standing ready to swat these attacks aside .
It is most fortunate that you are at the helm.

Carry on sir !

James
_________________
Acta Non Verba .....
Si Vis Pacem Para Bellum ....
Si Gorgiamus Allos Subjectatos Nunc ......
Offline
 Profile  
 
 Post subject: Re: After Heartbleed... comes Shellshock
PostPosted: 09 Oct 2014, 19:31 
True fan
True fan
User avatar

Joined: 08 Jan 2013, 18:13
Posts: 320
Location: United States
Has thanked: 0 time
Been thanked: 5 times
admin wrote:
To anticipate any further attack vector using similar loopholes, I put in place a rather strict blacklist policy that will block any IP trying something similar to a Shellshock attack for 1 month.
This reminds me: did you ever resolve the following? http://forum.lddb.com/viewtopic.php?p=48122#p48122

One troll can easily use something like that to ban a large number of legitimate forum users.
_________________
Fill my eyes with that DiscoVision!
Offline
 Profile  
 
 Post subject: Re: After Heartbleed... comes Shellshock  Topic is solved
PostPosted: 10 Oct 2014, 03:06 
Site Admin
Site Admin
User avatar

Joined: 07 Aug 2002, 23:37
Posts: 4540
Location: Tokyo
Has thanked: 292 times
Been thanked: 1136 times
acuozzo wrote:
This reminds me: did you ever resolve the following? http://forum.lddb.com/viewtopic.php?p=48122#p48122

One troll can easily use something like that to ban a large number of legitimate forum users.


If you click on anything, someone might indeed make you generate clicks that would make unable to access the website.

But I'm quite sure such unusual activity would be quickly identified by our discerning forum members! :thumbup:

Julien
_________________
HARDWARE DATABASE
HLD-X0/9 LD-S9 OPPO 105/205 SL-1200G
LDD-1 MSC-4000 R2144 PONTUS II C45 MC257
Offline
 Profile  
 
 Post subject: Re: After Heartbleed... comes Shellshock
PostPosted: 10 Oct 2014, 06:06 
True fan
True fan
User avatar

Joined: 08 Jan 2013, 18:13
Posts: 320
Location: United States
Has thanked: 0 time
Been thanked: 5 times
admin wrote:
If you click on anything, someone might indeed make you generate clicks that would make unable to access the website.
Sure, but in this case the user's WWW browser attempts to fetch the non-existent images when the thread loads, so it might be worthwhile to inject something to deal with it into phpBB's BBCode parser. All you'd need to do is swap-in something like http://forum.lddb.com/images/smilies/icon_e_wink.gif in place of links to images on LDDb that don't exist, such as http://www.lddb.com/this_image_is_bogus.png.

I'm also pretty sure it can be made to handle the case of, e.g., putting http://www.lddb.com/this_image_is_bogus.png behind a URL shortener, but you'd have to actually fetch the image for this to work.
_________________
Fill my eyes with that DiscoVision!
Offline
 Profile  
 
 Post subject: Re: After Heartbleed... comes Shellshock
PostPosted: 10 Oct 2014, 12:17 
Site Admin
Site Admin
User avatar

Joined: 07 Aug 2002, 23:37
Posts: 4540
Location: Tokyo
Has thanked: 292 times
Been thanked: 1136 times
acuozzo wrote:
I'm also pretty sure it can be made to handle the case of, e.g., putting http://www.lddb.com/this_image_is_bogus.png behind a URL shortener, but you'd have to actually fetch the image for this to work.


I wish it could that easy, but some external services' requests expect some files to be missing... on purpose (pre-calculated Apple icons for iOS for example).

Julien
_________________
HARDWARE DATABASE
HLD-X0/9 LD-S9 OPPO 105/205 SL-1200G
LDD-1 MSC-4000 R2144 PONTUS II C45 MC257
Offline
 Profile  
 
Display posts from previous:  Sort by  
 Page 1 of 1 [ 7 posts ] 


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to: