Howdy, Hacker News. I’m the CISO of Yahoo and I wanted to clear up some misconceptions.

Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock.

Three of our Sports API servers had malicious code executed on them this weekend by attackers looking for vulnerable Shellshock servers. These attackers had mutated their exploit, likely with the goal of bypassing IDS/IDP or WAF filters. This mutation happened to exactly fit a command injection bug in a monitoring script our Sports team was using at that moment to parse and debug their web logs.

Regardless of the cause our course of action remained the same: to isolate the servers at risk and protect our users' data. The affected API servers are used to provide live game streaming data to our Sports front-end and do not store user data. At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected. This flaw was specific to a small number of machines and has been fixed, and we have added this pattern to our CI/CD code scanners to catch future issues.

As you can imagine this episode caused some confusion in our team, since the servers in question had been successfully patched (twice!!) immediately after the Bash issue became public. Once we ensured that the impacted servers were isolated from the network, we conducted a comprehensive trace of the attack code through our entire stack which revealed the root cause: not Shellshock. Let this be a lesson to defenders and attackers alike: just because exploit code works doesn’t mean it triggered the bug you expected!

I also want to address another issue: Yahoo takes external security reports seriously and we strive to respond immediately to credible tips. We monitor our Bug Bounty (bugbounty.yahoo.com) and security aliases (security@yahoo.com) 24x7, and our records show no attempt by this researcher to contact us using those means. Within an hour of our CEO being emailed directly we had isolated these systems and begun our investigation. We run one of the most successful Bug Bounty programs in the world and I hope everybody here will participate and help us keep our users safe.

We’re always looking for people who want to keep nearly a billion users safe at scale. paranoids-hiring@yahoo-inc.com

Here is a suggestion, tell them to state their intentions or go away. Once they state their intentions tell them they have to sign a Memorandum of Understanding about what you're going to talk about and if they walk away it will cost them $X million (pick a number that would be able to resolve your debts and pay off any investors with a slight return).

What ever you do, do NOT be lured into thinking they are thinking about maybe a big exit for you, your interests are not aligned yet and you need to realize that. If there is any IP possible make sure you have provisional patents filed before you talk to them about anything. Even if you don't think it is patentable, force them to either buy you or risk infringing you if they go into competition with you.

Seriously, you have nothing to gain from this distraction if they aren't serious, and if they are serious they will put it in writing for you.

This writeup doesn't really get to the point so, the tl;dr

He was looking for places to exploit shellshock by googling for cgi scripts. Most of the ones he did find had already been hit by someone using a perl script that made them join an irc channel that was being used as CnC. He also joined it and monitored it. A bunch of different yahoo boxes were in the channel and he saw some of them get rooted.