[Snort-sigs] Exploit attempt?

Nigel Houghton nigel at ...435...
Tue Apr 5 06:23:40 EDT 2005


On  0, Giles Coochey <giles at ...1554...> allegedly wrote:
> I saw the "WEB-ATTACKS id command attempt" triggered today, with the 
> following in the payload:
> 
> 000 : 47 45 54 20 2F 63 67 69 2D 62 69 6E 2F 61 77 73   GET /cgi-bin/aws
> 010 : 74 61 74 73 2E 70 6C 3F 63 6F 6E 66 69 67 64 69   tats.pl?configdi
> 020 : 72 3D 7C 65 63 68 6F 25 32 30 3B 65 63 68 6F 25   r=|echo%20;echo%
> 030 : 32 30 3B 69 64 3B 65 63 68 6F 25 32 30 3B 65 63   20;id;echo%20;ec
> 040 : 68 6F 7C 20 48 54 54 50 2F 31 2E 31 0D 0A         ho| HTTP/1.1..
> 
> Does that look like an awstats exploit attempt?

Might be someone (or some auto script)  testing for a vulnerable version.
If sucessful they would find out which user awstats is executed as.

> Does anyone have a vulnerability report on this?

Yes, a couple of sources, look at the docs for sids 3463 and 3464 and
also the Bugtraq entry 12572

> Should I attempt to report the source address to the appropriate 
> authority I get through a whois query?

That's up to you.

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

   Stewie: This is treason.. for God sakes Peter make an example of
   her.. nothing says 'obey me' like a bloody head on a fence post.




More information about the Snort-sigs mailing list