[WEB400] AWSTATS Vulnerability!

[Joel Cochran <jrc@xxxxxxxxxx>]

Hi All,

I just wanted to share an experience with you that we just went
through.  Our Linux WebServer got hacked.  It isn't a Linux or Apache
thing, but some of the websites on that server use AWSTATS.  Apparently,
there is a vulnerability in AwStats versions 5.0 to 6.2, and only if you
allow updates from the web.

In a nut shell, the vulnerability allows the user to execute system
commands from an HTTP request.  This particular hack reads the Apache
config file and finds all the website root directories.  It only needs
to find a single site to exploit the vulnerability, so even other sites
on the machine that do not use AwStats will be affected!  It replaces
all the index.* files with a series of index files that look like this:
http://www.twoguysthinking.com

And if that wasn't enough, it then deletes ALL files and directories in
that website directory tree that contain the letter combination "log". 
At first, I thought this meant just deleting the Apache log files, but
then I realized any graphics with the word "logo" in the name were
gone.  Then the real fun began: we host a number of BLOG sites.  Any web
pages, directories, program files, etc. with the term "blog" in their
names were also gone.  Needless to say, we had a great time fixing this
little problem.

To patch the vulnerability, update AwStats to version 6.3 and/or
dissallow Update from the web by changing the AwStats config file.  If
you are not running AwStats or are running it but already do not allow
update from the web, then you should not be vulnerable.

Joel Cochran
http://www.rpgnext.com