lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Dec 2011 23:23:11 -0500 From: Lamar Spells <lamar.spells@...il.com> To: Nikolay Kichukov <hijacker@...um.net> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: New awstats.pl vulnerability? Here is an update on this: Over the past week, we have seen the awstats activity continue, but morph to include other vulnerabilities. Details of this are at http://foxtrot7security.blogspot.com/2011/12/attacks-against-awstats-also-includes.html -- but the summary is that we have seen activity change to include Local File Inclusion and command injection in phpAlbum and other components written in PHP. We started seeing today some activity related to phpthumb and CVE-2010-1598... Details of this are at http://foxtrot7security.blogspot.com/2011/12/new-attempts-to-exploit-old-phpthumb.html I am really curious as to the motivation of the parties deploying these types of scans. I understand that they would like to find vulnerable systems to compromise... but for what purpose? Sending spam? So far, based on what I am seeing, it looks like they are compromising systems just to have those systems look for more systems to compromise. At this point, I have to assume that they are still in the construction and building phase... On Fri, Dec 16, 2011 at 2:43 PM, Lamar Spells <lamar.spells@...il.com> wrote: > Here are some additional IPs and some analysis of the IPs in question. > Looks like very few of the scanning IPs are running awstats, but many > are legitimate business running old apache versions. I am guessing > they didn't self install an awstats scanner... > > http://foxtrot7security.blogspot.com/2011/12/importance-of-patching.html > > > On Tue, Dec 13, 2011 at 7:51 AM, Lamar Spells <lamar.spells@...il.com> wrote: >> Today we are also seeing requests like this one which is looking to >> exploit CVE-2008-3922: >> >> GET /awstatstotals/awstatstotals.php ? >> sort={${passthru(chr(105).chr(100))}}{${exit()}} >> >> >> >> On Tue, Dec 13, 2011 at 2:17 AM, Nikolay Kichukov <hijacker@...um.net> wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Same here, I even tried to notify a bunch of the ISP registrators of the IP address range those originated from. >>> >>> - -Nik >>> >>> >>> >>> On 12/13/2011 07:30 AM, Bruce Ediger wrote: >>>> On Mon, 12 Dec 2011, Lamar Spells wrote: >>>> >>>>> For the past several days, I have been seeing thousands of requests >>>>> looking for awstats.pl like this one: >>>> >>>> Yeah, me too. They just started up. I haven't seen any awstats.pl >>>> requests since 2010-05-18, and now I've gotten batches of them, since >>>> about 2011-11-22, but heavier since the start of December. >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1.4.11 (GNU/Linux) >>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ >>> >>> iQEcBAEBAgAGBQJO5vwQAAoJEDFLYVOGGjgX8oEH/i3kjBAtJcT1DJvJVcRX4O+9 >>> t2UcvehxpyjalhCttTmQrE8EcLrtGS62K0ZziNQPvXirOtJ0ERcaARsQFiTT7fCi >>> YyEuNDa15nx+wS2dgnKWEyCjz356RobtXgFflrbfHNPmBCRGd/qM3VzquUDYRdef >>> E+JtU0J3RgilXxMFLrZK5GHwZOUKNebv/T6bRPescMzRsX/DO89Csv0kWJM9xvyI >>> kd0El+/thw8aj9/21dB/JWhdbiBozuKd2MG1hTog/xKFVzVqdTzkNoZ7Ok15n91v >>> LoAx7cLqDInmx1syDLOSMhzRoyqGAA9Uq/WuTpDqTDcHjVwjGJPeYjc97dIJWdY= >>> =0+7+ >>> -----END PGP SIGNATURE----- >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists