× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. WEB400
  3. February 2005

Re: AWSTATS Vulnerability!

Joel (and others):
Is there some source (book, website, or this list) that could point us to 
what to lock down for a "generic install " of Apache created with the 
i5 http admin wizard. I bought the Apache 2.0 book recommended in 
other posts, which is pretty deep.
For an rpg pgmr, what do we need to do (if anything) to a default server
w/rpg cgi and perhaps net.data? I've run the Orginal server for years
with no problems, and recently moved to Apache and V5r3. 
jim franz

----- Original Message ----- 
From: "Joel Cochran" <jrc@xxxxxxxxxx>
To: "Web" <web400@xxxxxxxxxxxx>
Sent: Tuesday, February 08, 2005 7:49 AM
Subject: [WEB400] AWSTATS Vulnerability!


> Hi All,
> 
> I just wanted to share an experience with you that we just went
> through.  Our Linux WebServer got hacked.  It isn't a Linux or Apache
> thing, but some of the websites on that server use AWSTATS.  Apparently,
> there is a vulnerability in AwStats versions 5.0 to 6.2, and only if you
> allow updates from the web.
> 
> In a nut shell, the vulnerability allows the user to execute system
> commands from an HTTP request.  This particular hack reads the Apache
> config file and finds all the website root directories.  It only needs
> to find a single site to exploit the vulnerability, so even other sites
> on the machine that do not use AwStats will be affected!  It replaces
> all the index.* files with a series of index files that look like this:
> http://www.twoguysthinking.com
> 
> And if that wasn't enough, it then deletes ALL files and directories in
> that website directory tree that contain the letter combination "log". 
> At first, I thought this meant just deleting the Apache log files, but
> then I realized any graphics with the word "logo" in the name were
> gone.  Then the real fun began: we host a number of BLOG sites.  Any web
> pages, directories, program files, etc. with the term "blog" in their
> names were also gone.  Needless to say, we had a great time fixing this
> little problem.
> 
> To patch the vulnerability, update AwStats to version 6.3 and/or
> dissallow Update from the web by changing the AwStats config file.  If
> you are not running AwStats or are running it but already do not allow
> update from the web, then you should not be vulnerable.
> 
> Joel Cochran
> http://www.rpgnext.com
> 
> 
> _______________________________________________
> This is the Web Enabling the AS400 / iSeries (WEB400) mailing list
> To post a message email: WEB400@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/web400
> or email: WEB400-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/web400.
> 
>

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.