February 14, 2005

awexpl strikes

Filed under: Security

Just came back from holiday and reviewed apache logfile on my homeserver, I noticed that there are some wacky lines in access_log:

200.217.***.*** - - [11/Feb/2005:15:47:15 +0700]
"GET /cgi-bin/awstats.pl?configdir=|echo%20;
echo%20;id;echo%20;echo| HTTP/1.0" 404 287
200.217.***.*** - - [11/Feb/2005:15:47:45 +0700]
"GET /awstats/awstats.pl?configdir=|echo%20;
echo%20;id;echo%20;echo| HTTP/1.0" 404 287

After 2 minutes googling, I found a reference to the AWSTATS exploit. Looks like versions of awstats 6.2 and lower are vulnerable, version 6.3 has the fix.

More googling results mention that Infecktion Group claimed credit for many web defacements related to this awstats vulnerability and has reported over 400 such defacements, though it is unclear how many and whether the same attack vector was utilized.

2 Comments

The URI to TrackBack this entry is: http://negative.blogsome.com/2005/02/14/awexpl-strikes/trackback/

  1. heh… back to blog…. since when ???

    Comment by idon — February 14, 2005 @ 9:36 am

  2. Sejak dia kembali gelisah :)

    Comment by Rapa — March 13, 2005 @ 3:52 pm

RSS feed for comments on this post.

Leave a comment

Sorry, the comment form is closed at this time.

who links here | Get free blog up and running in minutes with Blogsome | Theme designs available here| login