__/ [Tim Smith] on Thursday 13 October 2005 13:37 \__
> In article <dikn2f$2n3r$1@xxxxxxxxxxxxxxxxx>,
> Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx> wrote:
>> I have yet another reason to hate Windows with /passion/. My Linux server
>> has come under heavy attacks by Windows machine that had been hijacked
>> and it's putting my Web host in jeopardy. Motive? Referrer spam that
>> comes with the visits en masse.
> I checked my logs to see if I have any of those, and I'm not getting
> hit. However, I did notice this interesting item:
> 184.108.40.206 - - [12/Oct/2005:19:24:45 -0700] "GET
> ;echo| HTTP/1.1" 404 1021 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
> Windows 98)"
> Looks like someone is trying to exploit a problem with awstats on Unix
> systems. Even though the user agent string claims Windows 98,
> 220.127.116.11 is running Red Hat Linux.
> As of right now, you can run that wget command it is trying to do and
> get the script it wants to run. It's a version of the ShellBOT
> backdoor, which has been around for a while:
> It's kind of a nice break amid all the usual Windows malware crap I see
> in my web logs to actually run across some Unix malware that is actually
> in the wild and trying to spread. :-)
Speaking of the notorious AWStats exploit, this morning I read a message
from the head sysadmin at the Computer Science Department.
Somebody questionably invoked AWStats from /tmp. It had to be assumed
that the attacker got a copy of the password file in the research domain.
All were forced to urgently change passwords. I occasionally notice
attempts to exploit (non-existing) AWStats on my domain. My AWStats
installation is behind an authentication wall.
I am guessing an infiltration via SSH of which there are endless attempts
from the east
Roy S. Schestowitz | "How do I set my laser printer on stun?"
http://Schestowitz.com | SuSE Linux | PGP-Key: 74572E8E
2:25pm up 49 days 2:39, 3 users, load average: 0.28, 0.52, 0.54
http://iuron.com - next generation of search paradigms