Full Disclosure mailing list archives
Re: New awstats.pl vulnerability?
From: james () zero-internet org uk
Date: Fri, 23 Dec 2011 07:34:51 +0000
From analysis on compromised sites I've been receiving abuse messages for at $day_job they're launched from irc bots on compromised servers, mainly cpanel- cpanel is cool for novices but skimps on security out of the box.
Will dig out some signatures when I get into the office. Sent from my BlackBerry® wireless device -----Original Message----- From: Lamar Spells <lamar.spells () gmail com> Sender: full-disclosure-bounces () lists grok org uk Date: Thu, 22 Dec 2011 23:23:11 To: Nikolay Kichukov<hijacker () oldum net> Cc: <full-disclosure () lists grok org uk> Subject: Re: [Full-disclosure] New awstats.pl vulnerability? Here is an update on this: Over the past week, we have seen the awstats activity continue, but morph to include other vulnerabilities. Details of this are at http://foxtrot7security.blogspot.com/2011/12/attacks-against-awstats-also-includes.html -- but the summary is that we have seen activity change to include Local File Inclusion and command injection in phpAlbum and other components written in PHP. We started seeing today some activity related to phpthumb and CVE-2010-1598... Details of this are at http://foxtrot7security.blogspot.com/2011/12/new-attempts-to-exploit-old-phpthumb.html I am really curious as to the motivation of the parties deploying these types of scans. I understand that they would like to find vulnerable systems to compromise... but for what purpose? Sending spam? So far, based on what I am seeing, it looks like they are compromising systems just to have those systems look for more systems to compromise. At this point, I have to assume that they are still in the construction and building phase... On Fri, Dec 16, 2011 at 2:43 PM, Lamar Spells <lamar.spells () gmail com> wrote:
Here are some additional IPs and some analysis of the IPs in question. Looks like very few of the scanning IPs are running awstats, but many are legitimate business running old apache versions. I am guessing they didn't self install an awstats scanner... http://foxtrot7security.blogspot.com/2011/12/importance-of-patching.html On Tue, Dec 13, 2011 at 7:51 AM, Lamar Spells <lamar.spells () gmail com> wrote:Today we are also seeing requests like this one which is looking to exploit CVE-2008-3922: GET /awstatstotals/awstatstotals.php ? sort={${passthru(chr(105).chr(100))}}{${exit()}} On Tue, Dec 13, 2011 at 2:17 AM, Nikolay Kichukov <hijacker () oldum net> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Same here, I even tried to notify a bunch of the ISP registrators of the IP address range those originated from. - -Nik On 12/13/2011 07:30 AM, Bruce Ediger wrote:On Mon, 12 Dec 2011, Lamar Spells wrote:For the past several days, I have been seeing thousands of requests looking for awstats.pl like this one:Yeah, me too. They just started up. I haven't seen any awstats.pl requests since 2010-05-18, and now I've gotten batches of them, since about 2011-11-22, but heavier since the start of December. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJO5vwQAAoJEDFLYVOGGjgX8oEH/i3kjBAtJcT1DJvJVcRX4O+9 t2UcvehxpyjalhCttTmQrE8EcLrtGS62K0ZziNQPvXirOtJ0ERcaARsQFiTT7fCi YyEuNDa15nx+wS2dgnKWEyCjz356RobtXgFflrbfHNPmBCRGd/qM3VzquUDYRdef E+JtU0J3RgilXxMFLrZK5GHwZOUKNebv/T6bRPescMzRsX/DO89Csv0kWJM9xvyI kd0El+/thw8aj9/21dB/JWhdbiBozuKd2MG1hTog/xKFVzVqdTzkNoZ7Ok15n91v LoAx7cLqDInmx1syDLOSMhzRoyqGAA9Uq/WuTpDqTDcHjVwjGJPeYjc97dIJWdY= =0+7+ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- New awstats.pl vulnerability? Lamar Spells (Dec 12)
- Re: New awstats.pl vulnerability? Grandma Eubanks (Dec 12)
- Re: New awstats.pl vulnerability? Bruce Ediger (Dec 12)
- Re: New awstats.pl vulnerability? Nikolay Kichukov (Dec 12)
- Re: New awstats.pl vulnerability? Lamar Spells (Dec 13)
- Re: New awstats.pl vulnerability? Lamar Spells (Dec 16)
- Re: New awstats.pl vulnerability? Lamar Spells (Dec 22)
- Re: New awstats.pl vulnerability? james (Dec 22)
- Re: New awstats.pl vulnerability? xD 0x41 (Dec 23)
- Re: New awstats.pl vulnerability? Nikolay Kichukov (Dec 12)