Well, my primary box was cracked by a dipshit going after the recent awstats.pl bug.
It's the same thing that hit Russell the other day.
The bare bones stuff (blog/comments/inbound email) is working on my secondary box. But a lot more needs to be fixed.
Yeay for me having reasonably good backups!
Boo for the asshole who did it.
More later, but I need to sleep. It's 3.5 hours past when I planned to go to bed.
:-(
Posted by jzawodn at February 01, 2005 02:29 AM
Bloody wanker. Thankfully I haven't updated much besides email in the past few days. And you have good backups online.
Just what you needed, eh?
Oooooh! It was Awstats! S.O.B! Thanks Jeremy, that clears my mind tremendously.
Sorry you got hacked as well... what a pain in the ass.
-Russ
Don't you guys have awstats password protected?
Well I'm going to update anyway just to be safe -thanks for the heads-up.
Busy upgrading my awstats port under FreeBSD. Thanks for the warning.
What's this about an awstats bug? I poked around and haven't found any info on any awstats exploits. I'm backing up my server and preparing to upgrade to any newer versions, but I don't see anything to indicate there was any security gap, or any solution.
I got dinged by a Twiki exploit a month or two ago. Also a major pain. I guess they hadn't found my awstats.pl in the meantime (or mine is new enough) but I chmod -rwx'd it just to be safe.
If you are trying to clean up your box, check out http://www.rootkit.nl/projects/rootkit_hunter.html it does a good job of ferreting out all the booby traps left behind. Take note that modern rootkits compromise all the common diagnostic tools (ls, ps, lsof, etc...) which makes it hard to see what the hell is really going on.
Ah, I found a reference to the exploit. I thought I'd post it just so everyone knows what is going on.
http://www.k-otik.com/exploits/20050124.awexpl.c.php
Looks like versions of awstats 6.2 and lower are vulnerable, v6.3 has the fix.
I've noticed that most web-based exploits work by executing commands that download, compile, and run files in /tmp. My question is why /tmp allows execution by default of most Unix distributions? I run FreeBSD on my servers, and have the noexec flag in /etc/fstab for the /tmp partition. While you shouldn't only rely on this, it does seem to resist most if not all of the PHP/Perl/web-based exploits in the recent past long enough to give me an opportunity to upgrade or fix whatever is causing the problem. When the recent phpBB exploit was announced, I noticed several attempts in my /tmp of people downloading source code or pre-compiled binaries, but none were successful.
The only time this has caused a problem for me is when I need to do a make world in FreeBSD. This is easily resolved by remounting /tmp without the noexec flag for the period during which I'm upgrading the system.
Patrick's suggestion is indeed a very nice and easy to implement line of defense against many script kiddies.
If you don't have /tmp in a separate partition and/or don't want to make a separate partition for it you can use a loopback device.
One place where I had problems with it is with "pear install APC" or most probably any other PECL package.
It's obvious to me that they're going after Yahoo employees now. First Russ, now you. Yahoo.com is clearly the end goal, yep, clear as mud.
The dirty deed was recorded - busy couple of wankers:
http://www.zone-h.org/en/defacements/filter/filter_domain=zawodny.com/
http://www.zone-h.org/en/defacements/filter/filter_domain=isaacs.com/
Jesper,
Funny how these sites can index (with screen shots) right when the hack takes place. I hit Jeremy’s site like 20 sites a day via rss and did not even notice anything except last night when I was getting connection refused.
- Justin
The reason they get the screenshot so quick is because the defacers report the crack straight away:
I assume you just haven't gotten around to fixing http://www.zawodny.com/ yet?
Thought I'd mention it, just in case you hadn't noticed it's still defaced. :(
I upgraded my server to the new awstats version, I even took some extra time to put in mod_rewrite gadgets to stop inline linking of pics, to stop people from leeching off my server. So I just wanted to drop you a thank-you note, Jeremy, your "Fun With mod_rewrite" tip was invaluable. I could never get mod_rewrite to work in .htaccess, I had no idea you could just put the directives into the Virtual Hosts section of httpd.conf until you mentioned it.
well apperantly, thier not too smart. they hit my server a while back and i traced them to here:
#Infektion On Irc.GigaChat.net
they have thier own chat room on the irc.
I wouldn't feel bad about this. The FBI just got 0wn3d today too:
FBI mail server gets 0wn3d
What a shame you were hit by this. I've been trying to make some noise about this possible after seeing the first hits on the 28th January. It seems the attackers are using a now standard technique of surfing google for pages that have a particular path in their url and then slamming them.
Unfotunately it took quite sometime before the problem was acknowledged and a new stable release produced by the awstats author (although various distros (debian, suse, gentoo) had fixed versions before the 28th).
Although it is obfuscation you may want to make sure that any pages that are taking user input that don't need to be indexed are protected by robots.txt or NOINDEX tags. It's not foolproof since if you link to it the page may still turn up but maybe you will turn up later buying you more time (of course the damage has already been done)...
Almost forgot, blocking outgoing IRC on the server, although extreme, may also buy you some time.
My site got hit by the same exploit, by the same losers, but they also installed a rootkit on the server, so you might want to watch out for that :-/
the public exploit for Awstats does not require /tmp access, only for the bot version of the exploit. Please get your facts straight.
so does this mean..you did not have htacccess rule protecting directory with password?
Hi,
btw there is one more awstats security hole making rounds..
and this time 6.3 is also vulnerable..
check this link for more info
http://securityfocus.com/archive/1/390368/2005-02-12/2005-02-18/0
Updating it to 6.4 development version is suggested...
Regards
Hello.
I have awstats 6.4 and I've been hacked today.
I think the problem is not awstats 6.4 comum to all accounts in CPanel, but I think one of the owner of the account has installed itself one awstats version below 6.3 and is doing this hack.
Is this possible? With the awstats.pl bugged file out there... we'll never rest, right? What can be done to stop this tremendous headhache?
Thank you
Hi Jeremy,
My website got hacked last week and completely dismantled. The yahoo techs won't help me. I can't even upload my back up because I was also somehow blocked out of ftp and wordpress. He did a lovely job. Even the Nice Yahoo tech I initially called couldn't get in through ftp. My problem is apparently Teddy R. someone who e-mailed me from yahoo tech support..thinks I need an attitude adjustment and the techs will not restore my website. He stated he could only see the communication where I was being rude. I don't understand because I didn't even use any profanity and the last 3 conversations to the 800 number have been fine because they were actually trying to help. Is it true tech support can't view everything.. only the transcriptions where I wasn't happy for being on hold for 40 minutes 3 times in the same day? Anyway, can you please tell me who I can speak to that will not use their position to blackball the restoration of my website due to their personal feelings that I deserve to pay my monthly fees for nothing? I am not a bad person.. I would just like to be able to get my site restored to the proper standards. Then if Teddy R. would like I can transfer all of my sites and domains to a different host. But I can't do anything until I can have access to my own site. I can't even upload files through the Yahoo Control panel. Is this a Yahoo hack? It sure seems like it. Even if you won't post this I would greatly appreciated contact info to get my restored.
Thanks.
Maybe publicizing my url on a Yahoo Techs Blog can finally help me to get YAHOO INC. to stop allowing their employees to commit FEDERAL OFFENSES upon me daily. Huh? What do you think? Do you think this will stop YAHOO CORPORATE who has visited my blog to stop turning a blind eye to the fact that dealing with their company has caused numerous murder attempt on my life as well as putting my young children through such a traumatic nightmare at such a young age?
KORY BAKER - ORANGEVALE, CALIFORNIA
I forgot to add my url so everyone will know what I am referring to:
