I have some truly old (disk) images going back to around 2003. I've looked through them and found nothing.
What freaks me out though is that these systems were vulnerable. All this time; it was right there. Its like finding out you just drove from LA to NYC with nothing but a single loose lug nut on your left front tire.
Yeah I did. I run a niche site that gets about a thousand hits a day. It has a cgi that uses bash. I've got logs going back to January, and the first (and so far only) attempted exploit is from shellshock-scan yesterday. It came after the first bash patch, which I had applied, and did not succeed.
I'll give props to hackers clever enough to poke holes in a massive beast of a system that enjoys boasting itself as "impenetrable", but these, I'm not too happy about - http://www.pressreader.com/profile/Media_Mentions/shellshock. The potential effects are much too close for comfort.
This looks cool but I can't get it running on Ubuntu 14.04. I just installed sysdig but I don't have the shellshock_detect chisel :/ Is it available yet through apt?
I haven't studied a worm in years, but historically it's been common practice to close the door you came in through upon entry, for exactly this reason.
- At this point sysdig is estimated to have tens of thousands of users, and we haven't gotten a kernel bug in a while, with people (us included) regularly using it a lot in production. Of course, I see the irony of mentioning this in a "shellshock" thread
- the dkms packaging should completely hide all the complexities required in maintaining a kernel module
- Part of the kernel code, if you look at the contributors, has been written/reviewed by gregkh, so we like to think the quality is "high enough"
- There might be plans at some point to try and propose a merge of the code to mainline
[+] [-] frankzinger|11 years ago|reply
Though none of the exploits I have seen thus far look very obfuscatible and therefore probably would've been discovered already.
[+] [-] noonespecial|11 years ago|reply
What freaks me out though is that these systems were vulnerable. All this time; it was right there. Its like finding out you just drove from LA to NYC with nothing but a single loose lug nut on your left front tire.
[+] [-] LeoPanthera|11 years ago|reply
[+] [-] PierreDow|11 years ago|reply
[+] [-] RobotCaleb|11 years ago|reply
[+] [-] davideschiera|11 years ago|reply
[+] [-] mikegioia|11 years ago|reply
[+] [-] gighi|11 years ago|reply
If you used the official Ubuntu packages, those are a few versions behind upstream (currently at 0.1.87 while we are at 0.1.89): http://packages.ubuntu.com/trusty-backports/sysdig.
What we recommend is uninstalling those ones (sysdig and sysdig-dkms) and just use the binaries that we, Draios, provide, following this: https://github.com/draios/sysdig/wiki/How-to-Install-Sysdig-...
Should be very easy, and sysdig --version should show 0.1.89
[+] [-] kaivi|11 years ago|reply
Thus, has somebody thought of exploiting and patching the attackers in response?
[+] [-] daveloyall|11 years ago|reply
Common, but by no means ubiquitous.
[+] [-] nicklaforge|11 years ago|reply
http://seclists.org/oss-sec/2014/q3/696 http://seclists.org/oss-sec/2014/q3/734
[+] [-] tyleroderkirk|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] Tepix|11 years ago|reply
The authors need a visit to http://contrastrebellion.com/
[+] [-] column|11 years ago|reply
[+] [-] zobzu|11 years ago|reply
Now sysdig aint bad per se but id like to see it mainlined or using mainline code
[+] [-] gighi|11 years ago|reply
- At this point sysdig is estimated to have tens of thousands of users, and we haven't gotten a kernel bug in a while, with people (us included) regularly using it a lot in production. Of course, I see the irony of mentioning this in a "shellshock" thread
- the dkms packaging should completely hide all the complexities required in maintaining a kernel module
- Part of the kernel code, if you look at the contributors, has been written/reviewed by gregkh, so we like to think the quality is "high enough"
- There might be plans at some point to try and propose a merge of the code to mainline