SecurityFocus

awstats holes being exploited in the wild Mar 15 2005 07:55PM
Jeremy Anderson (jeremy angelar com) (2 replies)

Re: awstats holes being exploited in the wild Mar 15 2005 10:01PM
Skip Carter (skip mira taygeta com)

Re: awstats holes being exploited in the wild Mar 15 2005 09:32PM
John Pettitt (jpp cloudview com)

Jeremy Anderson wrote:

>Greetings, everyone. This is my first post to the list, so please be forgiving.
>If the formatting on this is wonky, it can also be viewed at http://www.angelar.com/~jeremy/hacked.html
>
>
>On March 2nd, 2005, a server for which I am responsible received it's
>first attempted break-in via awstats, exploiting cve CAN-2005-0116 (http://www.securityfocus.com/bid/12298):
>
>
>
>
Several of my servers have been swept by awstats attacks in the last
three days from four addresses. The attack script in common use seems
to have a distinct signature in that it has a double // in GET //cgi-bin
at the start of the URL. such as

210.119.247.4 - - [09/Mar/2005:08:33:57 -0800] "GET
//cgi-bin/awstats.pl?configdir=|%20id%20| HTTP/1.1" 404 217

Attacking hosts:
216.145.9.34
210.225.88.43
210.119.247.4
206.61.118.236

John

[ reply ]