Updated Yahoo! said "a handful" of its servers fell to hackers who may have been trying to exploit the Shellshock vulnerability in Bash.
The miscreants took control of the web servers to build a botnet out of them, it is claimed.
"As soon as we became aware of the issue, we began patching our systems and have been closely monitoring our network," a Yahoo! spokesperson told The Register in an emailed statement on Monday.
"Last night, we isolated a handful of our impacted servers and at this time we have no evidence of a compromise to user data. We're focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users' data."
The compromise came to light over the weekend when Jonathan Hall, president of IT consulting firm Future South Technologies, spotted that hackers were using the vulnerability to infiltrate servers owned by Yahoo! – and allegedly some operated by Lycos and WinZip.
Hall, a self-described Bash junkie, claimed his servers were probed by a compromised WinZip server looking for common scripts in the
cgi-bin directory. He further claimed that the server had a IRC DDoS bot running on it containing Romanian text, which he killed before informing the FBI and WinZip.
Hall says WinZip didn't respond to his email alerting the biz to the alleged break-in. He says the machines are now patched, and appear to be in the clear. But then he noticed other servers running similar code, including those belonging to Yahoo! and allegedly Lycos.
"Some of my observations indicate that him [the alleged hacker] and his little Romanian cohort in there are also working towards another goal on Yahoo!’s network: the Yahoo! Games servers," Hall wrote.
"One might wonder why they would bother going for that… Well, those games are visited by MILLIONS of people per a day, and they’re also Java based. Think about it and you tell me why someone would want to compromise those."
He said he sent an email to Yahoo! CEO Marissa Meyer, and contacted her on Twitter about the issue with no response, and also alerted the FBI.
While Yahoo! says the problem has now been solved, Hall suggests the crooks are unlikely to have given up and more big-name servers could be under attack.
"In response to recent news about Shellshock, WinZip confirms that when the Shellshock vulnerability was identified in late September, our team immediately began patching our servers," said spokeswoman Jessica Gould.
"We continue to monitor the situation and apply the appropriate software updates as issues are identified. We've audited our servers and want to assure our users that no customer data or WinZip commercial software shows any evidence of being affected. WinZip is committed to protecting our users’ data."
Lycos did not response to The Register's request for comment. ®
Updated to add
Hours after publication, Yahoo! has had a change of heart, claiming that its machines weren't vulnerable to Shellshock – just a bug exactly like it.
"Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock," said Alex Stamos, Yahoo!’s chief information security officer, on Hacker News. A copy of his statement was forwarded to us by Yahoo! PR.
"Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters.
"This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs."