: Thu, 22 Dec 2011 23:23:11
> To: Nikolay Kichukov
> Cc:
> Subject: Re: [Full-disclosure] New awstats.pl vulnerability?
>
> Here is an update on this:
>
> Over the past week, we have seen the awstats activity continue, but
> morph to include other vulnerabilities. Detail
fice.
Sent from my BlackBerry® wireless device
-Original Message-
From: Lamar Spells
Sender: full-disclosure-boun...@lists.grok.org.uk
Date: Thu, 22 Dec 2011 23:23:11
To: Nikolay Kichukov
Cc:
Subject: Re: [Full-disclosure] New awstats.pl vulnerability?
Here is an update on this:
Ove
Here is an update on this:
Over the past week, we have seen the awstats activity continue, but
morph to include other vulnerabilities. Details of this are at
http://foxtrot7security.blogspot.com/2011/12/attacks-against-awstats-also-includes.html
-- but the summary is that we have seen activity ch
Here are some additional IPs and some analysis of the IPs in question.
Looks like very few of the scanning IPs are running awstats, but many
are legitimate business running old apache versions. I am guessing
they didn't self install an awstats scanner...
http://foxtrot7security.blogspot.com/2011
Today we are also seeing requests like this one which is looking to
exploit CVE-2008-3922:
GET /awstatstotals/awstatstotals.php ?
sort={${passthru(chr(105).chr(100))}}{${exit()}}
On Tue, Dec 13, 2011 at 2:17 AM, Nikolay Kichukov wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Same
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Same here, I even tried to notify a bunch of the ISP registrators of the IP
address range those originated from.
- -Nik
On 12/13/2011 07:30 AM, Bruce Ediger wrote:
> On Mon, 12 Dec 2011, Lamar Spells wrote:
>
>> For the past several days, I have
On Mon, 12 Dec 2011, Lamar Spells wrote:
> For the past several days, I have been seeing thousands of requests
> looking for awstats.pl like this one:
Yeah, me too. They just started up. I haven't seen any awstats.pl
requests since 2010-05-18, and now I've gotten batches of them, since
about 20
Hello,
It certainly happens. It's very random who scanners decide to hit. You may
have JUST been crawled and passed around several lists as possibilities. To
put some perspective on what you're seeing, the company I work for has
about 3k clients and within the past hour (just checked now), we got
For the past several days, I have been seeing thousands of requests
looking for awstats.pl like this one:
GET /awstats/awstats.pl ? configdir=|echo;echo YYYAAZ;uname;id;echo YYY;echo|
I am dropping these requests due to previous (and very old) issues
with awstats (see CVE-2006-3682).
But this le