Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New awstats.pl vulnerability?

From: xD 0x41 <secn3t () gmail com>
Date: Fri, 23 Dec 2011 19:21:33 +1100
I am really curious as to the motivation of the parties deploying
these types of scans.  I understand that they would like to find
vulnerable systems to compromise... but for what purpose?  S

dor what ?

Mainly the smarter ones, are, not malign, non botters, and dont use
these shit systems to make money but, many poorer countries, this can
make even, a small amount, with rooted boxes also, you have the power
to charge a sip call for example...to an isp...and they would, as
usually..bill it... but, it seems, anything thats new/big, is being
scanned, its simple..one engine, MANY addons :P
siimple formula, to exploit tonnes, of thousdands, of hosts...and, i
have seen many public lists ranging upto 50-100megs of ips all
vuln...fullnily, most of amazon aws 50. range is pwned...phpmyadmini
believe..hehe....wen will ppl learn...security is a MUST, not an item
to be glanced at and, presumed over for 100days..it has to be
fast,responsive,and knows what todo..so,.. buy into immunity :P~~
lol... i know many others are using this to fuzz...great fopr mass
fuzzing to i hear...altho then. acutenix could be obtained freely,
and, made to look pro...so i guess..is lesser of the evils...ones 20
grand with a few addons, ones free... ill take both :P




On 23 December 2011 18:34,  <james () zero-internet org uk> wrote:

From analysis on compromised sites I've been receiving abuse messages for at $day_job they're launched from irc bots 
on compromised servers, mainly cpanel- cpanel is cool for novices but skimps on security out of the box.


Will dig out some signatures when I get into the office.

Sent from my BlackBerry® wireless device

-----Original Message-----
From: Lamar Spells <lamar.spells () gmail com>
Sender: full-disclosure-bounces () lists grok org uk
Date: Thu, 22 Dec 2011 23:23:11
To: Nikolay Kichukov<hijacker () oldum net>
Cc: <full-disclosure () lists grok org uk>
Subject: Re: [Full-disclosure] New awstats.pl vulnerability?

Here is an update on this:

Over the past week, we have seen the awstats activity continue, but
morph to include other vulnerabilities.  Details of this are at
http://foxtrot7security.blogspot.com/2011/12/attacks-against-awstats-also-includes.html
-- but the summary is that we have seen activity change to include
Local File Inclusion and command injection in phpAlbum and other
components written in PHP.

We started seeing today some activity related to phpthumb and
CVE-2010-1598...  Details of this are at
http://foxtrot7security.blogspot.com/2011/12/new-attempts-to-exploit-old-phpthumb.html

I am really curious as to the motivation of the parties deploying
these types of scans.  I understand that they would like to find
vulnerable systems to compromise... but for what purpose?  Sending
spam?  So far, based on what I am seeing, it looks like they are
compromising systems just to have those systems look for more systems
to compromise.  At this point, I have to assume that they are still in
the construction and building phase...

On Fri, Dec 16, 2011 at 2:43 PM, Lamar Spells <lamar.spells () gmail com> wrote:

Here are some additional IPs and some analysis of the IPs in question.
 Looks like very few of the scanning IPs are running awstats, but many
are legitimate business running old apache versions.  I am guessing
they didn't self install an awstats scanner...

http://foxtrot7security.blogspot.com/2011/12/importance-of-patching.html


On Tue, Dec 13, 2011 at 7:51 AM, Lamar Spells <lamar.spells () gmail com> wrote:

Today we are also seeing requests like this one which is looking to
exploit CVE-2008-3922:

GET /awstatstotals/awstatstotals.php ?
sort={${passthru(chr(105).chr(100))}}{${exit()}}



On Tue, Dec 13, 2011 at 2:17 AM, Nikolay Kichukov <hijacker () oldum net> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Same here, I even tried to notify a bunch of the ISP registrators of the IP address range those originated from.

- -Nik



On 12/13/2011 07:30 AM, Bruce Ediger wrote:

On Mon, 12 Dec 2011, Lamar Spells wrote:


For the past several days, I have been seeing thousands of requests
looking for awstats.pl like this one:


Yeah, me too.  They just started up.  I haven't seen any awstats.pl
requests since 2010-05-18, and now I've gotten batches of them, since
about 2011-11-22, but heavier since the start of December.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJO5vwQAAoJEDFLYVOGGjgX8oEH/i3kjBAtJcT1DJvJVcRX4O+9
t2UcvehxpyjalhCttTmQrE8EcLrtGS62K0ZziNQPvXirOtJ0ERcaARsQFiTT7fCi
YyEuNDa15nx+wS2dgnKWEyCjz356RobtXgFflrbfHNPmBCRGd/qM3VzquUDYRdef
E+JtU0J3RgilXxMFLrZK5GHwZOUKNebv/T6bRPescMzRsX/DO89Csv0kWJM9xvyI
kd0El+/thw8aj9/21dB/JWhdbiBozuKd2MG1hTog/xKFVzVqdTzkNoZ7Ok15n91v
LoAx7cLqDInmx1syDLOSMhzRoyqGAA9Uq/WuTpDqTDcHjVwjGJPeYjc97dIJWdY=
=0+7+
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: