Security Incidents mailing list archives

Re: awstats holes being exploited in the wild

From: John Pettitt <jpp () cloudview com>
Date: Tue, 15 Mar 2005 13:32:23 -0800



Jeremy Anderson wrote:

Greetings, everyone.  This is my first post to the list, so please be forgiving.
If the formatting on this is wonky, it can also be viewed at http://www.angelar.com/~jeremy/hacked.html


On March 2nd, 2005, a server for which I am responsible received it's
first attempted break-in via awstats, exploiting cve CAN-2005-0116 (http://www.securityfocus.com/bid/12298):

Several of my servers have been swept by awstats attacks in the last
three days from four addresses.  The attack script in common use seems
to have a distinct signature in that it has a double // in GET //cgi-bin
at the start of the URL. such as

210.119.247.4 - - [09/Mar/2005:08:33:57 -0800] "GET
//cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1" 404 217


Attacking hosts:
216.145.9.34
210.225.88.43
210.119.247.4
206.61.118.236

John

Current thread:

awstats holes being exploited in the wild Jeremy Anderson (Mar 15)
- Re: awstats holes being exploited in the wild John Pettitt (Mar 16)
- Re: awstats holes being exploited in the wild Skip Carter (Mar 16)