Recently a number of servers that belong to Lycos, Yahoo and WinZip have been compromised by hackers who used the Bash Shellshock vulnerability. The servers have been used to explore other potential victims.
This was claimed by the former black hat hacker Jonathan Hall, who is now working as a security consultant and researcher. After the bug was Shellshock bug existence was revealed to the public, Jonathan Hall has been searching for the bug’s exploitation possibilities, but he was also interested in who stays behind the attack.
He stated that he was under a probe in search for common scripts in his “CGI-bin” directory, and he box that was probing him was a server based on the winzip.com domain. This is how the security researcher found out that the server was compromised. An additional investigation later on revealed a Perl script in the CGI-bin directory and an IRC DDoS bot that was running on it. This means that the attackers were not into its DDoS capabilities; rather they are interested in the shell access.
The former hacker has already notified WinZip and the local office of the FBI that the server is compromised, explaining that one of the store boxes served as a gateway for payments for WinZip purchases.
As Jonathan Hall monitored the IRC channel to which the server bots were compromised, he found out that the cyber criminals have also compromised other servers that were owned by Yahoo and Lycos. The attackers were identified as Romanians, and they had hacked two Yahoo servers and were aiming at gaining access to the company’s entire network. The cyber criminals were especially interested in the Yahoo! Games servers, since they are visited by millions of users that have Java on their computers, and the vulnerable Java installations can be easily exploited.
Until that moment, only Yahoo replied to the warnings sent by the security expert Jonathan Hall. The company confirmed that they know about the evidence of compromise on the servers pointed out by the specialist.