On 0, Giles Coochey <giles@coochey.net> allegedly wrote:
I saw the "WEB-ATTACKS id command attempt" triggered today, with the
following in the payload:
000 : 47 45 54 20 2F 63 67 69 2D 62 69 6E 2F 61 77 73 GET /cgi-bin/aws
010 : 74 61 74 73 2E 70 6C 3F 63 6F 6E 66 69 67 64 69 tats.pl?configdi
020 : 72 3D 7C 65 63 68 6F 25 32 30 3B 65 63 68 6F 25 r=|echo%20;echo%
030 : 32 30 3B 69 64 3B 65 63 68 6F 25 32 30 3B 65 63 20;id;echo%20;ec
040 : 68 6F 7C 20 48 54 54 50 2F 31 2E 31 0D 0A ho| HTTP/1.1..
Does that look like an awstats exploit attempt?
Might be someone (or some auto script) testing for a vulnerable version.
If sucessful they would find out which user awstats is executed as.
Does anyone have a vulnerability report on this?
Yes, a couple of sources, look at the docs for sids 3463 and 3464 and
also the Bugtraq entry 12572
Should I attempt to report the source address to the appropriate
authority I get through a whois query?
That's up to you.
+--------------------------------------------------------------------+
Nigel Houghton Research Engineer Sourcefire Inc.
Vulnerability Research Team
Stewie: This is treason.. for God sakes Peter make an example of
her.. nothing says 'obey me' like a bloody head on a fence post.
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
