Full Disclosure mailing list archives
Re: New awstats.pl vulnerability?
From: Lamar Spells <lamar.spells () gmail com>
Date: Fri, 16 Dec 2011 13:43:34 -0600
Here are some additional IPs and some analysis of the IPs in question. Looks like very few of the scanning IPs are running awstats, but many are legitimate business running old apache versions. I am guessing they didn't self install an awstats scanner... http://foxtrot7security.blogspot.com/2011/12/importance-of-patching.html On Tue, Dec 13, 2011 at 7:51 AM, Lamar Spells <lamar.spells () gmail com> wrote:
Today we are also seeing requests like this one which is looking to exploit CVE-2008-3922: GET /awstatstotals/awstatstotals.php ? sort={${passthru(chr(105).chr(100))}}{${exit()}} On Tue, Dec 13, 2011 at 2:17 AM, Nikolay Kichukov <hijacker () oldum net> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Same here, I even tried to notify a bunch of the ISP registrators of the IP address range those originated from. - -Nik On 12/13/2011 07:30 AM, Bruce Ediger wrote:On Mon, 12 Dec 2011, Lamar Spells wrote:For the past several days, I have been seeing thousands of requests looking for awstats.pl like this one:Yeah, me too. They just started up. I haven't seen any awstats.pl requests since 2010-05-18, and now I've gotten batches of them, since about 2011-11-22, but heavier since the start of December. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJO5vwQAAoJEDFLYVOGGjgX8oEH/i3kjBAtJcT1DJvJVcRX4O+9 t2UcvehxpyjalhCttTmQrE8EcLrtGS62K0ZziNQPvXirOtJ0ERcaARsQFiTT7fCi YyEuNDa15nx+wS2dgnKWEyCjz356RobtXgFflrbfHNPmBCRGd/qM3VzquUDYRdef E+JtU0J3RgilXxMFLrZK5GHwZOUKNebv/T6bRPescMzRsX/DO89Csv0kWJM9xvyI kd0El+/thw8aj9/21dB/JWhdbiBozuKd2MG1hTog/xKFVzVqdTzkNoZ7Ok15n91v LoAx7cLqDInmx1syDLOSMhzRoyqGAA9Uq/WuTpDqTDcHjVwjGJPeYjc97dIJWdY= =0+7+ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- New awstats.pl vulnerability? Lamar Spells (Dec 12)
- Re: New awstats.pl vulnerability? Grandma Eubanks (Dec 12)
- Re: New awstats.pl vulnerability? Bruce Ediger (Dec 12)
- Re: New awstats.pl vulnerability? Nikolay Kichukov (Dec 12)
- Re: New awstats.pl vulnerability? Lamar Spells (Dec 13)
- Re: New awstats.pl vulnerability? Lamar Spells (Dec 16)
- Re: New awstats.pl vulnerability? Lamar Spells (Dec 22)
- Re: New awstats.pl vulnerability? james (Dec 22)
- Re: New awstats.pl vulnerability? xD 0x41 (Dec 23)
- Re: New awstats.pl vulnerability? Nikolay Kichukov (Dec 12)