Full Disclosure mailing list archives
Re: Re: [ GLSA 200501-36 ] AWStats: Remote codeexecution
From: "morning_wood" <se_cur_ity () hotmail com>
Date: Wed, 26 Jan 2005 19:16:28 -0800
I don't have the time to investigate the "cgi" and "dc" binaries. The "cgi" at least tries to daemonize and opens a TCP listening socket. They also try to replace the index page on the vulnerable site.
cgi 00001495 00001495 0 /dev/tty 0000149E 0000149E 0 socket 000014AA 000014AA 0 listen 000014C0 000014C0 0 PsychoPhobia Backdoor is starting... 0000254E 0000254E 0 init.c dc 000009C0 000009C0 0 Welcome to Data Cha0s Connect Back Shell 000009E9 000009E9 0 No More Damn Issue Commands 00000A20 00000A20 0 Data Cha0s Connect Back Backdoor 00000A42 00000A42 0 /bin/sh 00000A4D 00000A4D 0 XTERM=xterm 00000A59 00000A59 0 HISTFILE= 00000A63 00000A63 0 SAVEHIST= 00000A6D 00000A6D 0 Usage: %s [Host] <port> 00000A86 00000A86 0 [*] Dumping Arguments 00000A9C 00000A9C 0 [*] Resolving Host Name 00000AB4 00000AB4 0 [*] Connecting... 00000AC6 00000AC6 0 [*] Spawning Shell 00000AD9 00000AD9 0 [*] Detached 00004321 00004321 0 dc-connectback.c cheers, m.w _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [ GLSA 200501-36 ] AWStats: Remote code execution Luke Macken (Jan 25)
- Re: [ GLSA 200501-36 ] AWStats: Remote code execution Delian Krustev (Jan 26)
- Re: [ GLSA 200501-36 ] AWStats: Remote code execution Niels Bakker (Jan 27)
- Re: [ GLSA 200501-36 ] AWStats: Remote code execution Joao Victor A. Di Stasi (Jan 27)
- Re: Re: [ GLSA 200501-36 ] AWStats: Remote codeexecution morning_wood (Jan 27)
- Re: [ GLSA 200501-36 ] AWStats: Remote code execution Delian Krustev (Jan 26)