Results 1 to 10 of 10
  1. #1
    ABW Ambassador cditty's Avatar
    Join Date
    January 18th, 2005
    Location
    Memphis TN
    Posts
    1,434
    Awstats and security breach
    If anyone out there uses awstats for your web stats program, it is recommeneded that you upgrade to the latest version ASAP. A security exploit was discovered in versions 5.0 - 6.2. This exploit will allow people to upload files for execution on your server.

    http://www.kb.cert.org/vuls/id/JGEI-69GM36

    I found this out the hard way. I noticed that my server had been compromised and someone had actually uploaded a telnet program onto my server. My support people showed me how easy it was to actually log into my box via telnet with no user id or password. On the plus side, this exploit was only discovered on 2/21/05, so hopefully not too many people know about it yet.

    Chris
    Recycled Talent - Architects of custom scripts and snippets, perfectly written to suit any need. We stay on top of the latest technology so you don't have to.
    Total Stupidity - Shining light on stupid things.

  2. #2
    ABW Ambassador Snib's Avatar
    Join Date
    January 18th, 2005
    Location
    Virginia
    Posts
    5,303
    Whew, glad to hear this. Somebody uploaded over my index on one of my sites and I had no idea how they did it. I closed down several services hoping that may have been it. This has to be it. I'm upgrading as we speak.

    Thanks Chris!
    Hatred stirs up strife, But love covers all transgressions.

  3. #3
    ABW Ambassador cditty's Avatar
    Join Date
    January 18th, 2005
    Location
    Memphis TN
    Posts
    1,434
    I was able to verify that it was through awstats. Oh joy, oh joy
    Recycled Talent - Architects of custom scripts and snippets, perfectly written to suit any need. We stay on top of the latest technology so you don't have to.
    Total Stupidity - Shining light on stupid things.

  4. #4
    ABW Ambassador Snib's Avatar
    Join Date
    January 18th, 2005
    Location
    Virginia
    Posts
    5,303
    All done updating, whew! Version 6.3 now. WHM should have told me about this, they better get on top of that.

    - Scott
    Hatred stirs up strife, But love covers all transgressions.

  5. #5
    Devil's Reject Electropulse's Avatar
    Join Date
    January 18th, 2005
    Posts
    987
    last week my host disabled awstats.pl with a note to upgrade to 6.3, they're cool like that.

  6. #6
    Not Verif-Lidated infoTim's Avatar
    Join Date
    January 18th, 2005
    Location
    Sunny Florida
    Posts
    1,021
    I generate the pages statically via cron instead of using the CGI.
    Tim
    consultant by day, affiliate by night

  7. #7
    Roll Tide mobilebadboy's Avatar
    Join Date
    January 18th, 2005
    Location
    Mobile, Alabama
    Posts
    1,220
    That exploit took out phpbb.com a couple of weeks ago.

    Shawn Kerr (.com) | Disney World | SEC Football

  8. #8
    ABW Ambassador Snib's Avatar
    Join Date
    January 18th, 2005
    Location
    Virginia
    Posts
    5,303
    I just had quite a fiasco today due to this. Apparently somebody had uploaded a whole package of exploits including a fake ebay credit card page, a spam emailer, fake paypal login, etc. I found my server was running really slow, turns out it was the spam emailer running my load averages up over 150. After a couple hours of reasearch I found the package installed in a folder called /icon. They had uploaded it apparently the very same day I fixed the problem. I saw as clear as day that they used awstats to upload this abomination and unzip it. I deleted it and hopefully this is the end of that. Just an FYI, this person was from Morocco.

    - Scott
    Hatred stirs up strife, But love covers all transgressions.

  9. #9
    Not Verif-Lidated infoTim's Avatar
    Join Date
    January 18th, 2005
    Location
    Sunny Florida
    Posts
    1,021
    That stinks, Snib! Hopefully the spamming doesn't get your IP banned anywhere.

    I really don't trust CGI scripts of any complexity to be bug-free, even if I write them myself. :-) I run awstats out of cron every 30 minutes to generate static pages and don't use it as a CGI for that very reason.

    - Tim
    Tim
    consultant by day, affiliate by night

  10. #10
    ABW Ambassador cditty's Avatar
    Join Date
    January 18th, 2005
    Location
    Memphis TN
    Posts
    1,434
    Just becuase you deleted the files doesn't mean they are still there. I went back the next day and some files had replaced themselves. I don't know how they got back there, but another delete, password change accross the board and a server reboot did the trick.
    Recycled Talent - Architects of custom scripts and snippets, perfectly written to suit any need. We stay on top of the latest technology so you don't have to.
    Total Stupidity - Shining light on stupid things.

  11. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. Featured: eBay Security Breach is Bad For Business
    By isellstuff in forum eBay Enterprise Affiliate Network
    Replies: 0
    Last Post: May 21st, 2014, 09:45 AM
  2. Awstats and WP-Admin
    By suzie250 in forum Programming / Datafeeds / Tools
    Replies: 2
    Last Post: September 24th, 2009, 12:47 AM
  3. AWSTATS Question
    By Kevin in forum Midnight Cafe'
    Replies: 6
    Last Post: August 8th, 2005, 03:31 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •