Re: awstats holes being exploited in the wild
From: John Pettitt (jpp_at_cloudview.com)
Date: 03/15/05
- Previous message: SDA: "strange software > winsupdater.exe"
- In reply to: Jeremy Anderson: "awstats holes being exploited in the wild"
- Next in thread: Skip Carter: "Re: awstats holes being exploited in the wild"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 15 Mar 2005 13:32:23 -0800 To: Jeremy Anderson <jeremy@angelar.com>
Jeremy Anderson wrote:
>Greetings, everyone. This is my first post to the list, so please be forgiving.
>If the formatting on this is wonky, it can also be viewed at http://www.angelar.com/~jeremy/hacked.html
>
>
>On March 2nd, 2005, a server for which I am responsible received it's
>first attempted break-in via awstats, exploiting cve CAN-2005-0116 (http://www.securityfocus.com/bid/12298):
>
>
>
>
Several of my servers have been swept by awstats attacks in the last
three days from four addresses. The attack script in common use seems
to have a distinct signature in that it has a double // in GET //cgi-bin
at the start of the URL. such as
210.119.247.4 - - [09/Mar/2005:08:33:57 -0800] "GET
//cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1" 404 217
Attacking hosts:
216.145.9.34
210.225.88.43
210.119.247.4
206.61.118.236
John
- Previous message: SDA: "strange software > winsupdater.exe"
- In reply to: Jeremy Anderson: "awstats holes being exploited in the wild"
- Next in thread: Skip Carter: "Re: awstats holes being exploited in the wild"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
