Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other
Author Message
VinDSL
Life Cycles Becoming CPU Cycles


Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com

PostPosted: Tue Feb 08, 2005 2:49 am Reply with quote

To digress, here's a new one for you... Wink

Code:


#Check for AWStats exploits and redirect them to a phantom site
RewriteCond %{QUERY_STRING} ^(.*)configdir(.*)          [NC]
RewriteRule ^.*$ http://www.goawayanddontcomeback.com   [L]



I was just looking at my logs and noticed someone tried to run a remote AWStats exploit against my site on 2 Feb. This is what an Only registered users can see links on this board! Get registered or login! looks like in the wild...

Code:


201.11.17.119 - - [02/Feb/2005:10:53:49 -0600] "GET /cgi-bin/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;e  cho| HTTP/1.0" 302 329 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"



Extra Credit: Only registered users can see links on this board! Get registered or login!

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. 
View user's profile Send private message Visit poster's website ICQ Number
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Tue Feb 08, 2005 6:23 am Reply with quote

Wow! You certainly know how to get my attention in the morning! Thanks Vin!
 
View user's profile Send private message
Mesum
Useless


Joined: Aug 23, 2002
Posts: 213
Location: Chicago

PostPosted: Tue Feb 08, 2005 2:49 pm Reply with quote

Should we use the code you have posted on the very first post of this thread or the one VinDSL posted?

_________________
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Raven
PostPosted: Tue Feb 08, 2005 2:54 pm Reply with quote

All of it. Mine was for Santy - his is for the AWStats exploit.
 
speedx
Hangin' Around


Joined: May 27, 2004
Posts: 42

PostPosted: Tue Feb 08, 2005 5:44 pm Reply with quote

Ok let me ask a question in my news/html dir I have my htaccess file do i put in

RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
RewriteCond %{REQUEST_URI} ^envidiosos [NC,OR]
RewriteCond %{REQUEST_URI} ^civa [NC,OR]
RewriteCond %{REQUEST_URI} ^filepack.superbr.org [NC,OR]
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC]
RewriteRule ^.*$ Only registered users can see links on this board! Get registered or login! [L]

#Check for AWStats exploits and redirect them to a phantom site
RewriteCond %{QUERY_STRING} ^(.*)configdir(.*) [NC]
RewriteRule ^.*$ Only registered users can see links on this board! Get registered or login! [L]

Thanks for the reply .. didnt know this was going on until I saw the post on the main page. Also what access should the htaccess file be ? 666 / 777 ?
 
View user's profile Send private message Visit poster's website
Raven
PostPosted: Tue Feb 08, 2005 5:52 pm Reply with quote

Combine it all:
Code:
RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR] 

RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
RewriteCond %{REQUEST_URI} ^envidiosos [NC,OR]
RewriteCond %{REQUEST_URI} ^civa [NC,OR]
RewriteCond %{REQUEST_URI} ^filepack.superbr.org [NC,OR]
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC,OR]
#Check for AWStats exploits and redirect them to a phantom site
RewriteCond %{QUERY_STRING} ^(.*)configdir(.*) [NC]
RewriteRule ^.*$ Only registered users can see links on this board! Get registered or login! [L]

666 is fine.
 
speedx
PostPosted: Tue Feb 08, 2005 6:26 pm Reply with quote

so all my htaccess file has in it is this... is that all that should be in it?

RewriteCond %{HTTP_USER_AGENT} ^LWP [NC,OR]
RewriteCond %{REQUEST_URI} ^visualcoders [NC,OR]
RewriteCond %{REQUEST_URI} ^envidiosos [NC,OR]
RewriteCond %{REQUEST_URI} ^civa [NC,OR]
RewriteCond %{REQUEST_URI} ^filepack.superbr.org [NC,OR]
RewriteCond %{QUERY_STRING} rush=([^&]+) [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)wget(.*) [NC,OR]
#Check for AWStats exploits and redirect them to a phantom site
RewriteCond %{QUERY_STRING} ^(.*)configdir(.*) [NC]
RewriteRule ^.*$ Only registered users can see links on this board! Get registered or login! [L]
 
Raven
PostPosted: Tue Feb 08, 2005 6:56 pm Reply with quote

Well, that covers these attacks. It may or may not have other stuff in it.
 
speedx
PostPosted: Tue Feb 08, 2005 7:06 pm Reply with quote

Ya mine has nothing else in it. That is what Im askin should it have other security stuff in it?
 
Raven
PostPosted: Tue Feb 08, 2005 8:55 pm Reply with quote

For the details on this attack and who is behind it, see Only registered users can see links on this board! Get registered or login!
 
darksied
Hangin' Around


Joined: Jan 27, 2004
Posts: 25
Location: New Jersey

PostPosted: Wed Feb 09, 2005 11:20 am Reply with quote

One quick question what program are you guys using to read your logs.
 
View user's profile Send private message Visit poster's website AIM Address
Susann
Moderator


Joined: Dec 19, 2004
Posts: 3191
Location: Germany:Moderator German NukeSentinel Support

PostPosted: Wed Feb 09, 2005 11:56 am Reply with quote

Since more than a year I use for all my websites awstats. But now I think its better change to another program. I found this in my logs:

65.11.146.205 - - [07/Feb/2005:22:48:00 +0100] "GET /cgi-bin/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;echo| HTTP/1.0" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
 
View user's profile Send private message
PHrEEkie
Subject Matter Expert


Joined: Feb 23, 2004
Posts: 358

PostPosted: Wed Feb 09, 2005 12:50 pm Reply with quote

There is an upgrade to awstats available, which is patched against this (this vuln came out originally around the middle of Jan, so it's fairly old news).

As well, there are several 'fixes' posted on the sourceforge site if you don't want to fool with a full upgrade.

This vuln only affects awstats run in CGI mode and which have AllowToUpdateStatsFromBrowser enabled. If you load awstats and there is a button allowing you to update your stats right then and there, you may be vulnerable. Setting this (in awstats.conf) to '0' instead of '1' is the quickest fix. 2nd quickest fix is a small modification to the awstats.pl code, then you can activate browser updating again. 3rd solution is full upgrade (recommended). No need to switch stats programs, this is a pretty minor fix...
Only registered users can see links on this board! Get registered or login!

PHrEEk
 
View user's profile Send private message
VinDSL
PostPosted: Thu Feb 10, 2005 12:58 am Reply with quote

darksied wrote:
One quick question what program are you guys using to read your logs.

I use a diminutive proggie called 'Winsyntax 2.0'. As a matter of fact, I use it for all programming/editing/viewing tasks - basically, everything except HTML and CSS (although you CAN use it for these too).

You can download it from my site: Only registered users can see links on this board! Get registered or login!
 
Susann
PostPosted: Thu Feb 10, 2005 10:20 am Reply with quote

@ PHrEEkie

Thanks for your information. My AWStats has been updated now to 6.3
 
BohrMe
Hangin' Around


Joined: May 01, 2004
Posts: 28
Location: Fall River, MA

PostPosted: Thu Feb 10, 2005 2:24 pm Reply with quote

I just use vi or vim depending on which OS I'm in at the time. It gets the job done.

_________________
BohrMe
eSnider.net 
View user's profile Send private message Visit poster's website
BohrMe
PostPosted: Thu Feb 10, 2005 10:15 pm Reply with quote

Is there a safe check one can perform to ensure AWStats is safe?

Nevermind...
 
MrFluffy
Hangin' Around


Joined: Jun 24, 2004
Posts: 28
Location: Berlin

PostPosted: Fri Feb 11, 2005 1:34 pm Reply with quote

Susann wrote:
Since more than a year I use for all my websites awstats. But now I think its better change to another program. I found this in my logs:

65.11.146.205 - - [07/Feb/2005:22:48:00 +0100] "GET /cgi-bin/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;echo| HTTP/1.0" 404 290 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"


Susann wrote:
@ PHrEEkie

Thanks for your information. My AWStats has been updated now to 6.3


Don't want to spoil your fun here too, but it's not really necessary to keep people busy. We already discussed that at the 7th on my site, expressly talked about the vulnerability in AWStats and you yourself posted the link to the update in my forums...
Also the question you posted here in another thread about 'illegal content' caused by the term highlight in the url was answered to you on my site on the 23rd of january already.
Is it really necessary? Sorry, but I hate to see people's time getting wasted.

_________________
cu,
MrFluffy

Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
Raven
PostPosted: Fri Feb 11, 2005 1:46 pm Reply with quote

Help clear up, to me, what you are referring to?
 
MrFluffy
PostPosted: Fri Feb 11, 2005 2:11 pm Reply with quote

Sorry, forgot to adress Susann directly, most of her recent posts here are just made for fun I guess. Asking questions she got answers for long before on other forums is a little ridiculous I think and just wasting your precious time. She herself posted the AWStats topic and update link on my forums days before her posts here. That's at least strange. You answered her question about the 'illegal content' message yesterday exactly as I answered it to her over two weeks ago...
So I'm not sure what her intentions are, but it's definitely not getting answers or help.
 
Raven
PostPosted: Fri Feb 11, 2005 4:54 pm Reply with quote

Possibly, but maybe she just wanted confirmation? Anyway, she can speak for herself. I don't want this to turn into an argument though Smile
 
Susann
PostPosted: Fri Feb 11, 2005 7:09 pm Reply with quote

Hello

Okay here are some clarifications:

@ Mr Fluffy

I'm sorry but it seems you have forgotten one thing: You denied access to your forum for me (Just for fun?)

My last posting in your forum about phpbb.com offline has nothing to do with this one. At least not directly. I just answered to the question of darksied! (Thinking about changing to another tool). The question about the illegal content in the AB Tracked menu of sentinel just recently evolved.

I haven't got the time for fun-postings, either. This is a serious question, from which i hoped to get the answer in your forum. But that didn't happen completely... Sad
So why shouldn't i post it here?

Cheers,

Susann
 
MrFluffy
PostPosted: Fri Feb 11, 2005 7:28 pm Reply with quote

Ok last word from me to that topic.. Yes, I banned you from my forums because of such fun postings as those I now find here (You are the only user that ever managed to be kicked from my site).
Fact, you knew very well about the AWStats topic and posted in my forums that you solved it by updating and gave the link to sourceforge yourself (that was Only registered users can see links on this board! Get registered or login! your post here).
You asked me on my forums why you got 'illegal content' messages on certain links, although you already made the $id/santy worm filter fix, exactly the same as here two days ago, that was on the Only registered users can see links on this board! Get registered or login!. You got exactly the same answer as you got here.
So either you have a very bad memory or you just like to see your name in forums and like to keep people busy.
 
Susann
PostPosted: Wed Feb 16, 2005 6:47 am Reply with quote

Possible, that I can`t remember all of my 401 posts about php-nuke in
your forum. But I remember the reasons why I posted the topic "phpBB.com
offline" there very well.

In the morning of 7 th February I found in my seo forum the headlines
"phpbb.com hacked". At phpBB.com I couldn't find the exact reasons,
only something about polical hackers. (Dont know what that means
exactly...) So I came to your forum. But no answer, instead: "Ja, was
könnten die da wohl meinen, was statt phpbb das Angriffsziel ist?"
Besides irony, this is not a valuable information to me and i think
also to the others.
Only the post from another user with the link to phpBB.de was useful
for me. But couldn't find more about the awstats security whole.
After googleing i found more information.
Only registered users can see links on this board! Get registered or login!

I posted that information in your forum:
The link, what to do with the config.dir from awstats etc.

But ok, feel free to delete all my posts in your forum ! !
 
Display posts from previous:       
Post new topic   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©