Blog

Oct
01

Concerned about shellshock? You should be!

Heartbleed (CVE-2014-0160.) has been given a rating of 10 which is the highest possible rating.

If you are running just about any Unix or Linux variant (including Apple Mac), or embeded device that uses bash and/or a web-server with CGI that can call bash.

How do you protect yourself?

1. If possible disable any remote system access from the Internet, or non-secure internal network.
2. Try to replace scripts that use bash to use another shell

There are some FREE Linux automated scanning tools that can help you see if you are vulnerable:
http://www.trendmicro.com/us/security/shellshock-bash-bug-exploit/bash-lite-tools/index.html

Free online scanners:
https://filippo.io/Heartbleed/ 
https://lastpass.com/heartbleed/
https://sslanalyzer.comodoca.com/heartbleed.html
https://pentest-tools.com/vulnerability-scanning/openssl-heartbleed-scanner
https://www.ssllabs.com/ssltest/

The way to test for yourself is:

Vulnerable

# env ‘x=() { :;}; echo vulnerable’ ‘BASH_FUNC_x()=() { :;}; echo vulnerable’ bash -c “echo test”
vulnerable
bash: BASH_FUNC_x(): line 0: syntax error near unexpected token `)’
bash: BASH_FUNC_x(): line 0: `BASH_FUNC_x() () { :;}; echo vulnerable’
bash: error importing function definition for `BASH_FUNC_x’
test

Safe

[root@XXXXXX ~]# env ‘x=() { :;}; echo vulnerable’ ‘BASH_FUNC_x()=() { :;}; echo vulnerable’ bash -c “echo test”
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `BASH_FUNC_x’
test

01-10-2014
Related

Blog

Oct
01

Ever wondered which files have been changed on your system?

The “ff” command can scan the inodes of a filesystem or logical volume and produce a status report, for instance to see all the files that have changed within the last 24 hours in the root filesystem:

ff -m -1 -u /dev/hd4
ff: /dev/rhd4: 43 files were selected
./etc   12          root
./etc/objrepos/CDiagAtt 97          root
./etc/objrepos/CDiagAtt.vc      98          root
./etc/objrepos/CDiagDev 99          root
./etc/objrepos/CuAt     101         root
./etc/objrepos/CuAt.vc  102         root
./etc/objrepos/SRCnotify        120         root
./etc/objrepos/SRCsubsvr        121         root
./etc/objrepos/SRCsubsys        122         root
./etc/objrepos/SWservAt 123         root

..

To list files that have not been changed for more than 30 days:

ff -a +30 /dev/hd4
./lpp/bos.net/deinstl/bos.net.tcp.server/6.1.8.15/bos.net.tcp.server.prvcmd.secpreapply        77572       root
./lpp/bos.net/deinstl/bos.net.tcp.server/6.1.8.15/bos.net.tcp.server.lib.sec.prapply   77573       root
./lpp/bos/bos.rte.tty/6.1.8.15  77600       root
./lpp/bos/deinstl/bos.rte.tty/6.1.8.15/bos.rte.tty.sec.preapply 77601       roo
./lpp/bos/deinstl/bos.rte.tty/6.1.8.15/bos.rte.tty.prvcmd.sec.preapply  77602      root
./lpp/bos/bos.rte.archive/6.1.8.15      77632       root
./lpp/bos/bos.rte.archive/6.1.8.15/bos.rte.archive.rl   77633       root
./lpp/bos/bos.rte.archive/6.1.8.15/bos.rte.archive.inventory.restore    77634      root

.

To list the paths corresponding to i-node numbers 21016 and 8216,enter:

ff -l -i 21016,8216 /dev/hd3
ff: /dev/rhd3: 2 files were selected
ff: /dev/rhd3: 0 link names were detected
./.workdir.4587694.6488228_1    8216
./.workdir.16056422.15925484_1  21016