full-disclosure-uk December 2011 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: Re: [Full-disclosure] New awstats.pl vulnera

Re: [Full-disclosure] New awstats.pl vulnerability?

From: Lamar Spells <lamar.spells_at_nospam>
Date: Fri Dec 16 2011 - 19:43:34 GMT
To: Nikolay Kichukov <hijacker@oldum.net>

Here are some additional IPs and some analysis of the IPs in question.
 Looks like very few of the scanning IPs are running awstats, but many
are legitimate business running old apache versions. I am guessing
they didn't self install an awstats scanner...

http://foxtrot7security.blogspot.com/2011/12/importance-of-patching.html

On Tue, Dec 13, 2011 at 7:51 AM, Lamar Spells <lamar.spells@gmail.com> wrote:
> Today we are also seeing requests like this one which is looking to
> exploit CVE-2008-3922:
>
> GET /awstatstotals/awstatstotals.php ?
> sort={${passthru(chr(105).chr(100))}}{${exit()}}
>
>
>
> On Tue, Dec 13, 2011 at 2:17 AM, Nikolay Kichukov <hijacker@oldum.net> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Same here, I even tried to notify a bunch of the ISP registrators of the IP address range those originated from.
>>
>> - -Nik
>>
>>
>>
>> On 12/13/2011 07:30 AM, Bruce Ediger wrote:
>>> On Mon, 12 Dec 2011, Lamar Spells wrote:
>>>
>>>> For the past several days, I have been seeing thousands of requests
>>>> looking for awstats.pl like this one:
>>>
>>> Yeah, me too. They just started up. I haven't seen any awstats.pl
>>> requests since 2010-05-18, and now I've gotten batches of them, since
>>> about 2011-11-22, but heavier since the start of December.
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iQEcBAEBAgAGBQJO5vwQAAoJEDFLYVOGGjgX8oEH/i3kjBAtJcT1DJvJVcRX4O+9
>> t2UcvehxpyjalhCttTmQrE8EcLrtGS62K0ZziNQPvXirOtJ0ERcaARsQFiTT7fCi
>> YyEuNDa15nx+wS2dgnKWEyCjz356RobtXgFflrbfHNPmBCRGd/qM3VzquUDYRdef
>> E+JtU0J3RgilXxMFLrZK5GHwZOUKNebv/T6bRPescMzRsX/DO89Csv0kWJM9xvyI
>> kd0El+/thw8aj9/21dB/JWhdbiBozuKd2MG1hTog/xKFVzVqdTzkNoZ7Ok15n91v
>> LoAx7cLqDInmx1syDLOSMhzRoyqGAA9Uq/WuTpDqTDcHjVwjGJPeYjc97dIJWdY=
>> =0+7+
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/