A series of attacks on websites and servers using the serious Shellshock bug has been spotted.
Millions of servers use software vulnerable to the bug, which lets attackers run commands on that system.
So far, thousands of servers have been compromised via Shellshock and some have been used to bombard web firms with data, said experts.
The number of attacks and compromises was likely to grow as the code used to exploit the bug was shared.
The Shellshock bug was discovered in a tool known as Bash that is widely used by the Unix operating system and many of its variants, including Linux open source software and Apple’s OSX.
Apple said it was working on a fix for its operating system and added that most users would not be at risk from Shellshock.
Attackers have been spotted creating networks of compromised machines, known as botnets, that were then put to other uses.
The control that Shellshock gave to attackers made it potentially more of a problem than the serious Heartbleed bug discovered in April this year, said security researcher Kasper Lindegaard from Secunia.
“Heartbleed only enabled hackers to extract information,” he told tech news site The Register. “Bash enables hackers to execute commands to take over your servers and systems.”
The seriousness of the bug has also led governments to act quickly. The UK government said its cybersecurity response team had issued an alert to its agencies and departments giving Shellshock the “highest possible threat ratings”.
