[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Re: [ GLSA 200501-36 ] AWStats: Remote codeexecution
- To: "Delian Krustev" <krustev@xxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>, <security-alerts@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-Disclosure] Re: [ GLSA 200501-36 ] AWStats: Remote codeexecution
- From: "morning_wood" <se_cur_ity@xxxxxxxxxxx>
- Date: Wed, 26 Jan 2005 19:16:28 -0800
> I don't have the time to investigate the "cgi" and "dc" binaries.
> The "cgi" at least tries to daemonize and opens a TCP listening socket.
> They also try to replace the index page on the vulnerable site.
cgi
00001495 00001495 0 /dev/tty
0000149E 0000149E 0 socket
000014AA 000014AA 0 listen
000014C0 000014C0 0 PsychoPhobia Backdoor is starting...
0000254E 0000254E 0 init.c
dc
000009C0 000009C0 0 Welcome to Data Cha0s Connect Back Shell
000009E9 000009E9 0 No More Damn Issue Commands
00000A20 00000A20 0 Data Cha0s Connect Back Backdoor
00000A42 00000A42 0 /bin/sh
00000A4D 00000A4D 0 XTERM=xterm
00000A59 00000A59 0 HISTFILE=
00000A63 00000A63 0 SAVEHIST=
00000A6D 00000A6D 0 Usage: %s [Host] <port>
00000A86 00000A86 0 [*] Dumping Arguments
00000A9C 00000A9C 0 [*] Resolving Host Name
00000AB4 00000AB4 0 [*] Connecting...
00000AC6 00000AC6 0 [*] Spawning Shell
00000AD9 00000AD9 0 [*] Detached
00004321 00004321 0 dc-connectback.c
cheers,
m.w
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html