× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Jeol,

I was just reading last night that the main phpBB site lost access to their
own servers through this little one!
If you search on the internet you will find loads of instances of people
getting hacked via this exploit!

cheers
Colin.W
 
Extension   5800
Direct dial   0870 429 5800


-----Original Message-----
From: Joel Cochran [mailto:jrc@xxxxxxxxxx] 
Sent: 08 February 2005 12:49
To: Web
Subject: [WEB400] AWSTATS Vulnerability!


Hi All,

I just wanted to share an experience with you that we just went through.
Our Linux WebServer got hacked.  It isn't a Linux or Apache thing, but some
of the websites on that server use AWSTATS.  Apparently, there is a
vulnerability in AwStats versions 5.0 to 6.2, and only if you allow updates
from the web.

In a nut shell, the vulnerability allows the user to execute system commands
from an HTTP request.  This particular hack reads the Apache config file and
finds all the website root directories.  It only needs to find a single site
to exploit the vulnerability, so even other sites on the machine that do not
use AwStats will be affected!  It replaces all the index.* files with a
series of index files that look like this: http://www.twoguysthinking.com

And if that wasn't enough, it then deletes ALL files and directories in that
website directory tree that contain the letter combination "log". 
At first, I thought this meant just deleting the Apache log files, but then
I realized any graphics with the word "logo" in the name were gone.  Then
the real fun began: we host a number of BLOG sites.  Any web pages,
directories, program files, etc. with the term "blog" in their names were
also gone.  Needless to say, we had a great time fixing this little problem.

To patch the vulnerability, update AwStats to version 6.3 and/or dissallow
Update from the web by changing the AwStats config file.  If you are not
running AwStats or are running it but already do not allow update from the
web, then you should not be vulnerable.

Joel Cochran
http://www.rpgnext.com


_______________________________________________
This is the Web Enabling the AS400 / iSeries (WEB400) mailing list To post a
message email: WEB400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list
options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.

This e-mail has been sent by a company of Bertram Group Ltd, whose registered 
office is 1 Broadland Business Park, Norwich, NR7 0WF. 
This message, and any attachments, are intended solely for the addressee and 
may contain privileged or confidential information.  If you are not the 
intended recipient, any disclosure, copying, distribution or any action taken 
or omitted to be taken in reliance on it, is prohibited and may be unlawful.  
If you believe that you have received this email in error, please contact the 
sender immediately. Opinions, conclusions and statements of intent in this 
e-mail are those of the sender and will not bind a Bertram Group Ltd company 
unless confirmed in writing by a director independently of this message. 
Although we have taken steps to ensure that this email and any attachments are 
free from any virus, we advise that in keeping with good computing practice the 
recipient should ensure they are actually virus free.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.