| Author |
Message |
VinDSL
Life Cycles Becoming CPU Cycles
Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com
|
 Posted:
Tue Feb 08, 2005 2:49 am |
|
To digress, here's a new one for you... 
Code:
#Check for AWStats exploits and redirect them to a phantom site
RewriteCond %{QUERY_STRING} ^(.*)configdir(.*) [NC]
RewriteRule ^.*$ http://www.goawayanddontcomeback.com [L]
|
I was just looking at my logs and noticed someone tried to run a remote AWStats exploit against my site on 2 Feb. This is what an AWStats exploit looks like in the wild...
Code:
201.11.17.119 - - [02/Feb/2005:10:53:49 -0600] "GET /cgi-bin/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;e cho| HTTP/1.0" 302 329 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
|
Extra Credit: phpBB Site Cracked, Developers Locked Out |
_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: VinDSL's Lenon.com | The Disipal Site ::. |
|
 
 |
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Tue Feb 08, 2005 6:23 am |
|
Wow! You certainly know how to get my attention in the morning! Thanks Vin! |
| |
|
|
|
|
Mesum
Useless
Joined: Aug 23, 2002
Posts: 213
Location: Chicago
|
| Posted:
Tue Feb 08, 2005 2:49 pm |
|
|
|
|
|
Raven
|
| Posted:
Tue Feb 08, 2005 2:54 pm |
|
All of it. Mine was for Santy - his is for the AWStats exploit. |
| |
|
|
|
|
speedx
Hangin' Around
Joined: May 27, 2004
Posts: 42
|
| Posted:
Tue Feb 08, 2005 5:44 pm |
|
Ok let me ask a question in my news/html dir I have my htaccess file do i put in
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
RewriteCond %{REQUEST_URI} ^envidiosos [NC,OR]
RewriteCond %{REQUEST_URI} ^civa [NC,OR]
RewriteCond %{REQUEST_URI} ^filepack.superbr.org [NC,OR]
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC]
RewriteRule ^.*$ [ Only registered users can see links on this board! Get registered or login! ] [L]
#Check for AWStats exploits and redirect them to a phantom site
RewriteCond %{QUERY_STRING} ^(.*)configdir(.*) [NC]
RewriteRule ^.*$ [ Only registered users can see links on this board! Get registered or login! ] [L]
Thanks for the reply .. didnt know this was going on until I saw the post on the main page. Also what access should the htaccess file be ? 666 / 777 ? |
| |
|
|
|
|
Raven
|
| Posted:
Tue Feb 08, 2005 5:52 pm |
|
Combine it all:
Code:RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
RewriteCond %{REQUEST_URI} ^envidiosos [NC,OR]
RewriteCond %{REQUEST_URI} ^civa [NC,OR]
RewriteCond %{REQUEST_URI} ^filepack.superbr.org [NC,OR]
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC,OR]
#Check for AWStats exploits and redirect them to a phantom site
RewriteCond %{QUERY_STRING} ^(.*)configdir(.*) [NC]
RewriteRule ^.*$ [ Only registered users can see links on this board! Get registered or login! ] [L]
|
666 is fine. |
| |
|
|
|
|
speedx
|
| Posted:
Tue Feb 08, 2005 6:26 pm |
|
so all my htaccess file has in it is this... is that all that should be in it?
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
RewriteCond %{REQUEST_URI} ^envidiosos [NC,OR]
RewriteCond %{REQUEST_URI} ^civa [NC,OR]
RewriteCond %{REQUEST_URI} ^filepack.superbr.org [NC,OR]
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC,OR]
#Check for AWStats exploits and redirect them to a phantom site
RewriteCond %{QUERY_STRING} ^(.*)configdir(.*) [NC]
RewriteRule ^.*$ [ Only registered users can see links on this board! Get registered or login! ] [L] |
| |
|
|
|
|
Raven
|
| Posted:
Tue Feb 08, 2005 6:56 pm |
|
Well, that covers these attacks. It may or may not have other stuff in it. |
| |
|
|
|
|
speedx
|
| Posted:
Tue Feb 08, 2005 7:06 pm |
|
Ya mine has nothing else in it. That is what Im askin should it have other security stuff in it? |
| |
|
|
|
|
Raven
|
| Posted:
Tue Feb 08, 2005 8:55 pm |
|
For the details on this attack and who is behind it, see [ Only registered users can see links on this board! Get registered or login! ] |
| |
|
|
|
|
darksied
Hangin' Around
Joined: Jan 27, 2004
Posts: 25
Location: New Jersey
|
| Posted:
Wed Feb 09, 2005 11:20 am |
|
One quick question what program are you guys using to read your logs. |
| |
|
|
|
Susann
Moderator
Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support
|
| Posted:
Wed Feb 09, 2005 11:56 am |
|
Since more than a year I use for all my websites awstats. But now I think its better change to another program. I found this in my logs:
65.11.146.205 - - [07/Feb/2005:22:48:00 +0100] "GET /cgi-bin/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;echo| HTTP/1.0" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)" |
| |
|
|
|
|
PHrEEkie
Subject Matter Expert
Joined: Feb 23, 2004
Posts: 358
|
| Posted:
Wed Feb 09, 2005 12:50 pm |
|
There is an upgrade to awstats available, which is patched against this (this vuln came out originally around the middle of Jan, so it's fairly old news).
As well, there are several 'fixes' posted on the sourceforge site if you don't want to fool with a full upgrade.
This vuln only affects awstats run in CGI mode and which have AllowToUpdateStatsFromBrowser enabled. If you load awstats and there is a button allowing you to update your stats right then and there, you may be vulnerable. Setting this (in awstats.conf) to '0' instead of '1' is the quickest fix. 2nd quickest fix is a small modification to the awstats.pl code, then you can activate browser updating again. 3rd solution is full upgrade (recommended). No need to switch stats programs, this is a pretty minor fix...
[ Only registered users can see links on this board! Get registered or login! ]
PHrEEk |
| |
|
|
|
|
VinDSL
|
| Posted:
Thu Feb 10, 2005 12:58 am |
|
| darksied wrote: | | One quick question what program are you guys using to read your logs. |
I use a diminutive proggie called 'Winsyntax 2.0'. As a matter of fact, I use it for all programming/editing/viewing tasks - basically, everything except HTML and CSS (although you CAN use it for these too).
You can download it from my site:
[ Only registered users can see links on this board! Get registered or login! ] |
| |
|
|
|
|
Susann
|
| Posted:
Thu Feb 10, 2005 10:20 am |
|
@ PHrEEkie
Thanks for your information. My AWStats has been updated now to 6.3 |
| |
|
|
|
|
BohrMe
Hangin' Around
Joined: May 01, 2004
Posts: 28
Location: Fall River, MA
|
| Posted:
Thu Feb 10, 2005 2:24 pm |
|
I just use vi or vim depending on which OS I'm in at the time. It gets the job done. |
_________________
BohrMe
eSnider.net |
|
|
|
|
BohrMe
|
| Posted:
Thu Feb 10, 2005 10:15 pm |
|
Is there a safe check one can perform to ensure AWStats is safe?
Nevermind... |
| |
|
|
|
|
MrFluffy
Hangin' Around
Joined: Jun 24, 2004
Posts: 28
Location: Berlin
|
| Posted:
Fri Feb 11, 2005 1:34 pm |
|
| Susann wrote: | Since more than a year I use for all my websites awstats. But now I think its better change to another program. I found this in my logs:
65.11.146.205 - - [07/Feb/2005:22:48:00 +0100] "GET /cgi-bin/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;echo| HTTP/1.0" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)" |
| Susann wrote: | @ PHrEEkie
Thanks for your information. My AWStats has been updated now to 6.3 |
Don't want to spoil your fun here too, but it's not really necessary to keep people busy. We already discussed that at the 7th on my site, expressly talked about the vulnerability in AWStats and you yourself posted the link to the update in my forums...
Also the question you posted here in another thread about 'illegal content' caused by the term highlight in the url was answered to you on my site on the 23rd of january already.
Is it really necessary? Sorry, but I hate to see people's time getting wasted. |
_________________
cu,
MrFluffy
 |
|
 |
|
Raven
|
| Posted:
Fri Feb 11, 2005 1:46 pm |
|
Help clear up, to me, what you are referring to? |
| |
|
|
|
|
MrFluffy
|
| Posted:
Fri Feb 11, 2005 2:11 pm |
|
Sorry, forgot to adress Susann directly, most of her recent posts here are just made for fun I guess. Asking questions she got answers for long before on other forums is a little ridiculous I think and just wasting your precious time. She herself posted the AWStats topic and update link on my forums days before her posts here. That's at least strange. You answered her question about the 'illegal content' message yesterday exactly as I answered it to her over two weeks ago...
So I'm not sure what her intentions are, but it's definitely not getting answers or help. |
| |
|
|
|
|
Raven
|
| Posted:
Fri Feb 11, 2005 4:54 pm |
|
Possibly, but maybe she just wanted confirmation? Anyway, she can speak for herself. I don't want this to turn into an argument though  |
| |
|
|
|
|
Susann
|
| Posted:
Fri Feb 11, 2005 7:09 pm |
|
Hello
Okay here are some clarifications:
@ Mr Fluffy
I'm sorry but it seems you have forgotten one thing: You denied access to your forum for me (Just for fun?)
My last posting in your forum about phpbb.com offline has nothing to do with this one. At least not directly. I just answered to the question of darksied! (Thinking about changing to another tool). The question about the illegal content in the AB Tracked menu of sentinel just recently evolved.
I haven't got the time for fun-postings, either. This is a serious question, from which i hoped to get the answer in your forum. But that didn't happen completely... 
So why shouldn't i post it here?
Cheers,
Susann |
| |
|
|
|
|
MrFluffy
|
| Posted:
Fri Feb 11, 2005 7:28 pm |
|
Ok last word from me to that topic.. Yes, I banned you from my forums because of such fun postings as those I now find here (You are the only user that ever managed to be kicked from my site).
Fact, you knew very well about the AWStats topic and posted in my forums that you solved it by updating and gave the link to sourceforge yourself (that was two days before your post here).
You asked me on my forums why you got 'illegal content' messages on certain links, although you already made the $id/santy worm filter fix, exactly the same as here two days ago, that was on the 23rd of january. You got exactly the same answer as you got here.
So either you have a very bad memory or you just like to see your name in forums and like to keep people busy. |
| |
|
|
|
|
Susann
|
| Posted:
Wed Feb 16, 2005 6:47 am |
|
Possible, that I can`t remember all of my 401 posts about php-nuke in
your forum. But I remember the reasons why I posted the topic "phpBB.com
offline" there very well.
In the morning of 7 th February I found in my seo forum the headlines
"phpbb.com hacked". At phpBB.com I couldn't find the exact reasons,
only something about polical hackers. (Dont know what that means
exactly...) So I came to your forum. But no answer, instead: "Ja, was
könnten die da wohl meinen, was statt phpbb das Angriffsziel ist?"
Besides irony, this is not a valuable information to me and i think
also to the others.
Only the post from another user with the link to phpBB.de was useful
for me. But couldn't find more about the awstats security whole.
After googleing i found more information.
[ Only registered users can see links on this board! Get registered or login! ]
I posted that information in your forum:
The link, what to do with the config.dir from awstats etc.
But ok, feel free to delete all my posts in your forum ! ! |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
