[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <BAY10-DAV301B2B4D8416A341B4AC4ED9780@phx.gbl>
From: se_cur_ity at hotmail.com (morning_wood)
Subject: Re: [ GLSA 200501-36 ] AWStats: Remote
codeexecution
> I don't have the time to investigate the "cgi" and "dc" binaries.
> The "cgi" at least tries to daemonize and opens a TCP listening socket.
> They also try to replace the index page on the vulnerable site.
cgi
00001495 00001495 0 /dev/tty
0000149E 0000149E 0 socket
000014AA 000014AA 0 listen
000014C0 000014C0 0 PsychoPhobia Backdoor is starting...
0000254E 0000254E 0 init.c
dc
000009C0 000009C0 0 Welcome to Data Cha0s Connect Back Shell
000009E9 000009E9 0 No More Damn Issue Commands
00000A20 00000A20 0 Data Cha0s Connect Back Backdoor
00000A42 00000A42 0 /bin/sh
00000A4D 00000A4D 0 XTERM=xterm
00000A59 00000A59 0 HISTFILE=
00000A63 00000A63 0 SAVEHIST=
00000A6D 00000A6D 0 Usage: %s [Host] <port>
00000A86 00000A86 0 [*] Dumping Arguments
00000A9C 00000A9C 0 [*] Resolving Host Name
00000AB4 00000AB4 0 [*] Connecting...
00000AC6 00000AC6 0 [*] Spawning Shell
00000AD9 00000AD9 0 [*] Detached
00004321 00004321 0 dc-connectback.c
cheers,
m.w
Powered by blists - more mailing lists