× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. WEB400
  3. February 2005

Re: AWSTATS Vulnerability!

I have already updated my personal server. I did that as soon as I
heard there was a security hole.


On Wed, 9 Feb 2005 07:09:25 -0000, Colin Williams
<colin.williams@xxxxxxxxxxxx> wrote:
> Jeol,
> 
> I was just reading last night that the main phpBB site lost access to their
> own servers through this little one!
> If you search on the internet you will find loads of instances of people
> getting hacked via this exploit!
> 
> cheers
> Colin.W
> 
> Extension   5800
> Direct dial   0870 429 5800
> 
> 
> -----Original Message-----
> From: Joel Cochran [mailto:jrc@xxxxxxxxxx]
> Sent: 08 February 2005 12:49
> To: Web
> Subject: [WEB400] AWSTATS Vulnerability!
> 
> Hi All,
> 
> I just wanted to share an experience with you that we just went through.
> Our Linux WebServer got hacked.  It isn't a Linux or Apache thing, but some
> of the websites on that server use AWSTATS.  Apparently, there is a
> vulnerability in AwStats versions 5.0 to 6.2, and only if you allow updates
> from the web.
> 
> In a nut shell, the vulnerability allows the user to execute system commands
> from an HTTP request.  This particular hack reads the Apache config file and
> finds all the website root directories.  It only needs to find a single site
> to exploit the vulnerability, so even other sites on the machine that do not
> use AwStats will be affected!  It replaces all the index.* files with a
> series of index files that look like this: http://www.twoguysthinking.com
> 
> And if that wasn't enough, it then deletes ALL files and directories in that
> website directory tree that contain the letter combination "log".
> At first, I thought this meant just deleting the Apache log files, but then
> I realized any graphics with the word "logo" in the name were gone.  Then
> the real fun began: we host a number of BLOG sites.  Any web pages,
> directories, program files, etc. with the term "blog" in their names were
> also gone.  Needless to say, we had a great time fixing this little problem.
> 
> To patch the vulnerability, update AwStats to version 6.3 and/or dissallow
> Update from the web by changing the AwStats config file.  If you are not
> running AwStats or are running it but already do not allow update from the
> web, then you should not be vulnerable.
> 
> Joel Cochran
> http://www.rpgnext.com
> 
> _______________________________________________
> This is the Web Enabling the AS400 / iSeries (WEB400) mailing list To post a
> message email: WEB400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list
> options,
> visit: http://lists.midrange.com/mailman/listinfo/web400
> or email: WEB400-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/web400.
> 
> This e-mail has been sent by a company of Bertram Group Ltd, whose registered 
> office is 1 Broadland Business Park, Norwich, NR7 0WF.
> This message, and any attachments, are intended solely for the addressee and 
> may contain privileged or confidential information.  If you are not the 
> intended recipient, any disclosure, copying, distribution or any action taken 
> or omitted to be taken in reliance on it, is prohibited and may be unlawful.  
> If you believe that you have received this email in error, please contact the 
> sender immediately. Opinions, conclusions and statements of intent in this 
> e-mail are those of the sender and will not bind a Bertram Group Ltd company 
> unless confirmed in writing by a director independently of this message.
> Although we have taken steps to ensure that this email and any attachments 
> are free from any virus, we advise that in keeping with good computing 
> practice the recipient should ensure they are actually virus free.
> 
> _______________________________________________
> This is the Web Enabling the AS400 / iSeries (WEB400) mailing list
> To post a message email: WEB400@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/web400
> or email: WEB400-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/web400.
> 
> 


-- 
Mike Wills
Midrange Programmer/Lawson Administrator
koldark@xxxxxxxxx
http://www.mikewills.name
Want Gmail? Email koldark+gmail@xxxxxxxxx to get on my waiting list.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.