Package: webalizer Followup-For: Bug #622897
Moritz, I believe that the initial attack was through webalizer because the path /var/www/.webalizer contained php injections which gave the attackers their initial shell, which was first used to host a phishing form which was also under /var/www/webalizer - whereas the production site on the host was under /[redacted]/[redacted], under which no files were added, removed, or modified. I'm not sure what you mean by "recent years"; but my own research showed a widely-exploited security bug in Webalizer in 2009 which I sincerely hope was either fixed by the upstream maintainers, or at least patched in Debian's repos. If it's that bug... well, dear lord, please let's get that patched, it's been two years already? =) Ref: http://news.softpedia.com/news/Webalizer-Bug-Possibly-Leading-to-Mass-Web-Compromise-119983.shtml ... or at LEAST let's fix the installation process so that it doesn't silently expose itself on the default site. I still use webalizer on some very high-traffic sites because I don't know of any other packages which can scale linearly to handle VERY high levels of traffic - one client of mine generates about 40G of Apache logs per day on app servers alone; webalizer's the only thing I know of that can handle that volume. -- System Information: Debian Release: 5.0.8 APT prefers oldstable APT policy: (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-2-amd64 (SMP w/4 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages webalizer depends on: ii debconf [debcon 1.5.24 Debian configuration management sy ii libc6 2.7-18lenny7 GNU C Library: Shared libraries ii libdb4.5 4.5.20-13 Berkeley v4.5 Database Libraries [ ii libgd2-xpm 2.0.36~rc1~dfsg-3+lenny1 GD Graphics Library version 2 ii libgeoip1 1.4.4.dfsg-3+lenny1 A non-DNS IP-to-country resolver l ii libpng12-0 1.2.27-2+lenny4 PNG library - runtime ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime webalizer recommends no packages. Versions of packages webalizer suggests: ii apache2-mpm-prefork [htt 2.2.9-10+lenny9 Apache HTTP Server - traditional n -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
