Since I mentioned awstats on this blog I've been getting attempts to access the awstats.pl script on this site. awstats.pl is not accessable through this domain, it is provided by Site5 but I have to log in to netadmin to get to them.
Anyway, I had a quick search to see if there was a way to hack in via awstats and sure enough there is. The trick mentioned in this article is the one they are trying to get in with:
200.223.55.134 - - [11/Feb/2005:14:44:54 -0500] "GET /stats/cgi-bin/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;echo%20| HTTP/1.0" 404 6186 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
this is trying to execute the command id which shows the uid, gid and groups of the account it runs in. I guess this is probing for this vulnerability and seeing whether it gives root access.
The break-in attempts are coming from a variety of IPs, as is usual they are using proxys so there is no point trying to block them. They are getting 403s anyway, they aren't consuming much bandwidth.
Moral: keep an eye on your access logs, see what folk are up to.
Peter's Moblog
I could block accesses to awstats in the requested url but as awstats is not there anyway it is not a problem for me.
I checked on the Site5 forums, although they are running awstats 6.2 which has this vulnerability, it is behind an authenticated login so they are not in a hurry to upgrade it.
Peter