RE: apache security newbie

["Vladimir Luna" <vladimir.luna () gmail com>]

Yes, sorry to say, the 'kiddies' has those kinda tools and uses it a lot
from hacked boxes to scan broadly on *all* IP's of c-blocks, etc. Best
solution is to allways keep your stuff updated. 
Due to the nature of such program i think its best not to direct anyone
to them. I would recommend you to contact the isp that was trying to get
into your box and alert them of possible intrusion into their system
thats possible being used for scan's in order to try to break into your
box. 

Sorry for my bad english.


_______________________________________
            Vladimir Luna 
    Mail: vladimir.luna () gmail com
________________________________________


> -----Original Message-----
> From: Dominik Kallusky [mailto:D.Kallusky () gmx net] 
> Sent: Tuesday, June 07, 2005 5:38 PM
> To: security-basics () securityfocus com
> Subject: RE: apache security newbie
>
>
> There are scripts, that scan for the awstats vulnerability?
> Does anyone know more about that, or has a link?
>
> > --- Ursprüngliche Nachricht ---
> > Von: "Vladimir Luna" <vladimir.luna () gmail com>
> > An: <security-basics () securityfocus com>
> > Betreff: RE: apache security newbie
> > Datum: Mon, 6 Jun 2005 18:55:41 +0200
> >
> > This seams as 'usual' scans for exploit of awstats.pl 
> > The most used exploits that i have come by is hacks done  
> on awstats.pl
> > phpbb´s and on ikonboard why its important to update these 
> often, and
> > look if some new security issue has come around regarding those.
> > regarding the phpbb; It is often a PHP/phpbb overflow 
> exploit. They gets
> > an irc bot uploaded into /tmp and uses one of the users to 
> execute it;
> > Being able to execute it using webserver nobody:nobody 
> permissions. They
> > then uses the ircbot to ddos around. 
> > Its also known that  That systems are often compromised 
> through a Remote
> > Command Execution Vulnerability in awstats 6.1: (or other 
> versions) as
> > explaned on; 
> http://www.idefense.com/application/poi/display?id=185&type=vu
lnerabilit
> ies&flashstatus=true 
>
> This last one is what it seams that they were scanning for in your
> system to try to exploit. 
> Many times the site from where the scan is being done is compromised
> machine aswell. I usally reports them back to the isp, wich i
recommend
> that you do. 
>
> Best regards, 
>
> _______________________________________
>             Vladimir Luna 
>     Mail: vladimir.luna () gmail com
> ________________________________________

-- 
Geschenkt: 3 Monate GMX ProMail gratis + 3 Ausgaben stern gratis
++ Jetzt anmelden & testen ++ http://www.gmx.net/de/go/promail ++