Full Disclosure mailing list archives
Re: New awstats.pl vulnerability?
From: xD 0x41 <secn3t () gmail com>
Date: Fri, 23 Dec 2011 19:21:33 +1100
I am really curious as to the motivation of the parties deploying these types of scans. I understand that they would like to find vulnerable systems to compromise... but for what purpose? S dor what ? Mainly the smarter ones, are, not malign, non botters, and dont use these shit systems to make money but, many poorer countries, this can make even, a small amount, with rooted boxes also, you have the power to charge a sip call for example...to an isp...and they would, as usually..bill it... but, it seems, anything thats new/big, is being scanned, its simple..one engine, MANY addons :P siimple formula, to exploit tonnes, of thousdands, of hosts...and, i have seen many public lists ranging upto 50-100megs of ips all vuln...fullnily, most of amazon aws 50. range is pwned...phpmyadmini believe..hehe....wen will ppl learn...security is a MUST, not an item to be glanced at and, presumed over for 100days..it has to be fast,responsive,and knows what todo..so,.. buy into immunity :P~~ lol... i know many others are using this to fuzz...great fopr mass fuzzing to i hear...altho then. acutenix could be obtained freely, and, made to look pro...so i guess..is lesser of the evils...ones 20 grand with a few addons, ones free... ill take both :P On 23 December 2011 18:34, <james () zero-internet org uk> wrote:
From analysis on compromised sites I've been receiving abuse messages for at $day_job they're launched from irc bots on compromised servers, mainly cpanel- cpanel is cool for novices but skimps on security out of the box.Will dig out some signatures when I get into the office. Sent from my BlackBerry® wireless device -----Original Message----- From: Lamar Spells <lamar.spells () gmail com> Sender: full-disclosure-bounces () lists grok org uk Date: Thu, 22 Dec 2011 23:23:11 To: Nikolay Kichukov<hijacker () oldum net> Cc: <full-disclosure () lists grok org uk> Subject: Re: [Full-disclosure] New awstats.pl vulnerability? Here is an update on this: Over the past week, we have seen the awstats activity continue, but morph to include other vulnerabilities. Details of this are at http://foxtrot7security.blogspot.com/2011/12/attacks-against-awstats-also-includes.html -- but the summary is that we have seen activity change to include Local File Inclusion and command injection in phpAlbum and other components written in PHP. We started seeing today some activity related to phpthumb and CVE-2010-1598... Details of this are at http://foxtrot7security.blogspot.com/2011/12/new-attempts-to-exploit-old-phpthumb.html I am really curious as to the motivation of the parties deploying these types of scans. I understand that they would like to find vulnerable systems to compromise... but for what purpose? Sending spam? So far, based on what I am seeing, it looks like they are compromising systems just to have those systems look for more systems to compromise. At this point, I have to assume that they are still in the construction and building phase... On Fri, Dec 16, 2011 at 2:43 PM, Lamar Spells <lamar.spells () gmail com> wrote:Here are some additional IPs and some analysis of the IPs in question. Looks like very few of the scanning IPs are running awstats, but many are legitimate business running old apache versions. I am guessing they didn't self install an awstats scanner... http://foxtrot7security.blogspot.com/2011/12/importance-of-patching.html On Tue, Dec 13, 2011 at 7:51 AM, Lamar Spells <lamar.spells () gmail com> wrote:Today we are also seeing requests like this one which is looking to exploit CVE-2008-3922: GET /awstatstotals/awstatstotals.php ? sort={${passthru(chr(105).chr(100))}}{${exit()}} On Tue, Dec 13, 2011 at 2:17 AM, Nikolay Kichukov <hijacker () oldum net> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Same here, I even tried to notify a bunch of the ISP registrators of the IP address range those originated from. - -Nik On 12/13/2011 07:30 AM, Bruce Ediger wrote:On Mon, 12 Dec 2011, Lamar Spells wrote:For the past several days, I have been seeing thousands of requests looking for awstats.pl like this one:Yeah, me too. They just started up. I haven't seen any awstats.pl requests since 2010-05-18, and now I've gotten batches of them, since about 2011-11-22, but heavier since the start of December. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJO5vwQAAoJEDFLYVOGGjgX8oEH/i3kjBAtJcT1DJvJVcRX4O+9 t2UcvehxpyjalhCttTmQrE8EcLrtGS62K0ZziNQPvXirOtJ0ERcaARsQFiTT7fCi YyEuNDa15nx+wS2dgnKWEyCjz356RobtXgFflrbfHNPmBCRGd/qM3VzquUDYRdef E+JtU0J3RgilXxMFLrZK5GHwZOUKNebv/T6bRPescMzRsX/DO89Csv0kWJM9xvyI kd0El+/thw8aj9/21dB/JWhdbiBozuKd2MG1hTog/xKFVzVqdTzkNoZ7Ok15n91v LoAx7cLqDInmx1syDLOSMhzRoyqGAA9Uq/WuTpDqTDcHjVwjGJPeYjc97dIJWdY= =0+7+ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- New awstats.pl vulnerability? Lamar Spells (Dec 12)
- Re: New awstats.pl vulnerability? Grandma Eubanks (Dec 12)
- Re: New awstats.pl vulnerability? Bruce Ediger (Dec 12)
- Re: New awstats.pl vulnerability? Nikolay Kichukov (Dec 12)
- Re: New awstats.pl vulnerability? Lamar Spells (Dec 13)
- Re: New awstats.pl vulnerability? Lamar Spells (Dec 16)
- Re: New awstats.pl vulnerability? Lamar Spells (Dec 22)
- Re: New awstats.pl vulnerability? james (Dec 22)
- Re: New awstats.pl vulnerability? xD 0x41 (Dec 23)
- Re: New awstats.pl vulnerability? Nikolay Kichukov (Dec 12)