| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGEu6OA3ofq=b4i52fefRZCO=uhoRNPaCSsG9yx-2Fif-Dq-qg@mail.gmail.com>
Date: Fri, 16 Dec 2011 13:43:34 -0600
From: Lamar Spells <lamar.spells@...il.com>
To: Nikolay Kichukov <hijacker@...um.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: New awstats.pl vulnerability?
Here are some additional IPs and some analysis of the IPs in question.
Looks like very few of the scanning IPs are running awstats, but many
are legitimate business running old apache versions. I am guessing
they didn't self install an awstats scanner...
http://foxtrot7security.blogspot.com/2011/12/importance-of-patching.html
On Tue, Dec 13, 2011 at 7:51 AM, Lamar Spells <lamar.spells@...il.com> wrote:
> Today we are also seeing requests like this one which is looking to
> exploit CVE-2008-3922:
>
> GET /awstatstotals/awstatstotals.php ?
> sort={${passthru(chr(105).chr(100))}}{${exit()}}
>
>
>
> On Tue, Dec 13, 2011 at 2:17 AM, Nikolay Kichukov <hijacker@...um.net> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Same here, I even tried to notify a bunch of the ISP registrators of the IP address range those originated from.
>>
>> - -Nik
>>
>>
>>
>> On 12/13/2011 07:30 AM, Bruce Ediger wrote:
>>> On Mon, 12 Dec 2011, Lamar Spells wrote:
>>>
>>>> For the past several days, I have been seeing thousands of requests
>>>> looking for awstats.pl like this one:
>>>
>>> Yeah, me too. They just started up. I haven't seen any awstats.pl
>>> requests since 2010-05-18, and now I've gotten batches of them, since
>>> about 2011-11-22, but heavier since the start of December.
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iQEcBAEBAgAGBQJO5vwQAAoJEDFLYVOGGjgX8oEH/i3kjBAtJcT1DJvJVcRX4O+9
>> t2UcvehxpyjalhCttTmQrE8EcLrtGS62K0ZziNQPvXirOtJ0ERcaARsQFiTT7fCi
>> YyEuNDa15nx+wS2dgnKWEyCjz356RobtXgFflrbfHNPmBCRGd/qM3VzquUDYRdef
>> E+JtU0J3RgilXxMFLrZK5GHwZOUKNebv/T6bRPescMzRsX/DO89Csv0kWJM9xvyI
>> kd0El+/thw8aj9/21dB/JWhdbiBozuKd2MG1hTog/xKFVzVqdTzkNoZ7Ok15n91v
>> LoAx7cLqDInmx1syDLOSMhzRoyqGAA9Uq/WuTpDqTDcHjVwjGJPeYjc97dIJWdY=
>> =0+7+
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists