Full Disclosure mailing list archives

Re: Re: [ GLSA 200501-36 ] AWStats: Remote codeexecution

From: "morning_wood" <se_cur_ity () hotmail com>
Date: Wed, 26 Jan 2005 19:16:28 -0800

I don't have the time to investigate the "cgi" and "dc" binaries.
The "cgi" at least tries to daemonize and opens a TCP listening socket.
They also try to replace the index page on the vulnerable site.


cgi
00001495   00001495      0   /dev/tty
0000149E   0000149E      0   socket
000014AA   000014AA      0   listen
000014C0   000014C0      0   PsychoPhobia Backdoor is starting...

0000254E   0000254E      0   init.c


dc
000009C0   000009C0      0   Welcome to Data Cha0s Connect Back Shell
000009E9   000009E9      0   No More Damn Issue Commands
00000A20   00000A20      0   Data Cha0s Connect Back Backdoor
00000A42   00000A42      0   /bin/sh
00000A4D   00000A4D      0   XTERM=xterm
00000A59   00000A59      0   HISTFILE=
00000A63   00000A63      0   SAVEHIST=
00000A6D   00000A6D      0   Usage: %s [Host] <port>
00000A86   00000A86      0   [*] Dumping Arguments
00000A9C   00000A9C      0   [*] Resolving Host Name
00000AB4   00000AB4      0   [*] Connecting...
00000AC6   00000AC6      0   [*] Spawning Shell
00000AD9   00000AD9      0   [*] Detached

00004321   00004321      0   dc-connectback.c


cheers,
m.w

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

[ GLSA 200501-36 ] AWStats: Remote code execution Luke Macken (Jan 25)
- Re: [ GLSA 200501-36 ] AWStats: Remote code execution Delian Krustev (Jan 26)
  - Re: [ GLSA 200501-36 ] AWStats: Remote code execution Niels Bakker (Jan 27)
  - Re: [ GLSA 200501-36 ] AWStats: Remote code execution Joao Victor A. Di Stasi (Jan 27)
  - Re: Re: [ GLSA 200501-36 ] AWStats: Remote codeexecution morning_wood (Jan 27)