On September 25th, the entire network went silent for about 24 hours. This came without warning, and has surprised quite a few of you.
This was not a maintenance routine, but a preemptive measure against the recently disclosed Shellshock vulnerability, referenced as CVE-2014-7169.
This vulnerability is designated as particularly dangerous as it is extremely easy to exploit, and can potentially affect hundreds of millions of Internet-connected objects (computers, smartphones, etc). A simple request through a webpage can be enough, if a few other conditions are met, to inject malicious code or payloads inside the server, thus bypassing most security tools in place.
Not long after the public disclosure, I began looking for more information on the subject. CGI scripts looked particularly vulnerable, and most shared-hosting companies tend to use these with an Apache server and CPanel, making them vulnerable to this threat. Hopefully at Neregate we’re cool people so we already ditched Apache for Nginx quite some time ago, meaning bye-bye to all CGI scripts.
However, just because CGI scripts are considered vulnerable doesn’t mean that they are the only possible attack vector an attacker can use against your server; thinking otherwise would be a naive assumption.
After looking at possible workarounds while waiting for an official fix, I came to the conclusion that it’d be safer to shutdown everything rather than just wait for bad things to happen, so I took the decision of stopping all services, including the mail servers (which is the first time I had to go this far).
Now, you’re probably thinking that this is a rather excessive measure for a small site like this, as Neregate isn’t a juicy target like the big corporate companies out there. While this is a legitimate thought, things are never that simple. Shortly after the bug disclosure, some people began scanning wide ranges of IP addresses to look for vulnerable servers. With a bug that is so easy to exploit, it wouldn’t take long for someone to code a worm that tries all sorts of code injections while looping on IP addresses. Rather than taking the risk of getting infected, shutting everything down and waiting for a fix seemed like the best solution. Unlike the big players out there who can invest a lot of money in security, small websites like this one can only cross fingers if they stay online. Also, dealing with a virus that has already infected your server is WAY more tedious & time consuming than trying to prevent an infection. The probability of infection was likely very low, but it could not be ruled out.
Too many people do not give a fuck about the safety of their users, never update their systems, or keep themselves informed. While this is understandable for people on shared hostings (since they have little to no control on system updates), this is not acceptable for people who have full control on a server. As most of you know, your privacy and safety are among my top priorities, because a good browsing experience should also be a safe browsing experience. This doesn’t mean that trouble will never occur, but the risks are definitely reduced, and I take the matter very seriously.
(Reminder : HTTPS is coming in a few months)
The patch to fix the vulnerability was posted a little while ago, and after reviewing around 6 gigabytes of logs, there was nothing indicating that the vulnerability was exploited on the server. There were several traces of scans attempting to assess whether or not the server was vulnerable (baka.bz & neregate.com being the prime targets), hopefully it didn’t go any further than that. I also saw some pretty scary and clever attack patterns that were unrelated to the current problem and wow, there’s some massive shit going on behind the scenes (but that isn’t new).
As a general precaution, never visit websites that claim to help you by scanning a website for a vulnerability. These websites are often scams that make gullible people enter their website address, and feed a database of vulnerable websites. Also, if you use this kind of service to input a website you do not own but you like to visit, all you are doing is potentially put that website’s owner into danger. Think twice, be responsible.
You do NOT need to test your website using a third party! Just have a look at the vulnerable versions of the bugged application, and see if you are up to date or not. Bug disclosures always come with a list of the vulnerable versions : use them.
MAC users “should be” protected against this vulnerability unless you did some tweaking to your services, although you should be on the lookout for a system update (if Apple didn’t release one already). Linux users, in general, should update their systems as soon as they can.
I apologize for the downtime. It kinda comes at a bad moment since a lot of you wanted to download the new Fall chart and were unable to do so.
However, safety comes first, and the situation called for it. Hopefully this should not happen very often.
2010 2011 2012 2013 2014 anifetch animated anime apng artist calculator chart chinese event fall fetcher flash free freeware game games hash Imouto Indonesian japan japanese Kirino mahou manga Neregate news princess program promotional pv remix Russian series shoujo software spanish spring summer video winter