|
Jeol, I was just reading last night that the main phpBB site lost access to their own servers through this little one! If you search on the internet you will find loads of instances of people getting hacked via this exploit! cheers Colin.W Extension 5800 Direct dial 0870 429 5800 -----Original Message----- From: Joel Cochran [mailto:jrc@xxxxxxxxxx] Sent: 08 February 2005 12:49 To: Web Subject: [WEB400] AWSTATS Vulnerability! Hi All, I just wanted to share an experience with you that we just went through. Our Linux WebServer got hacked. It isn't a Linux or Apache thing, but some of the websites on that server use AWSTATS. Apparently, there is a vulnerability in AwStats versions 5.0 to 6.2, and only if you allow updates from the web. In a nut shell, the vulnerability allows the user to execute system commands from an HTTP request. This particular hack reads the Apache config file and finds all the website root directories. It only needs to find a single site to exploit the vulnerability, so even other sites on the machine that do not use AwStats will be affected! It replaces all the index.* files with a series of index files that look like this: http://www.twoguysthinking.com And if that wasn't enough, it then deletes ALL files and directories in that website directory tree that contain the letter combination "log". At first, I thought this meant just deleting the Apache log files, but then I realized any graphics with the word "logo" in the name were gone. Then the real fun began: we host a number of BLOG sites. Any web pages, directories, program files, etc. with the term "blog" in their names were also gone. Needless to say, we had a great time fixing this little problem. To patch the vulnerability, update AwStats to version 6.3 and/or dissallow Update from the web by changing the AwStats config file. If you are not running AwStats or are running it but already do not allow update from the web, then you should not be vulnerable. Joel Cochran http://www.rpgnext.com _______________________________________________ This is the Web Enabling the AS400 / iSeries (WEB400) mailing list To post a message email: WEB400@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/web400 or email: WEB400-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/web400. This e-mail has been sent by a company of Bertram Group Ltd, whose registered office is 1 Broadland Business Park, Norwich, NR7 0WF. This message, and any attachments, are intended solely for the addressee and may contain privileged or confidential information. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. If you believe that you have received this email in error, please contact the sender immediately. Opinions, conclusions and statements of intent in this e-mail are those of the sender and will not bind a Bertram Group Ltd company unless confirmed in writing by a director independently of this message. Although we have taken steps to ensure that this email and any attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.