Hi All,

I just wanted to share an experience with you that we just went
through.  Our Linux WebServer got hacked.  It isn't a Linux or Apache
thing, but some of the websites on that server use AWSTATS.  Apparently,
there is a vulnerability in AwStats versions 5.0 to 6.2, and only if you
allow updates from the web.

In a nut shell, the vulnerability allows the user to execute system
commands from an HTTP request.  This particular hack reads the Apache
config file and finds all the website root directories.  It only needs
to find a single site to exploit the vulnerability, so even other sites
on the machine that do not use AwStats will be affected!  It replaces
all the index.* files with a series of index files that look like this:
http://www.twoguysthinking.com

And if that wasn't enough, it then deletes ALL files and directories in
that website directory tree that contain the letter combination "log". 
At first, I thought this meant just deleting the Apache log files, but
then I realized any graphics with the word "logo" in the name were
gone.  Then the real fun began: we host a number of BLOG sites.  Any web
pages, directories, program files, etc. with the term "blog" in their
names were also gone.  Needless to say, we had a great time fixing this
little problem.

To patch the vulnerability, update AwStats to version 6.3 and/or
dissallow Update from the web by changing the AwStats config file.  If
you are not running AwStats or are running it but already do not allow
update from the web, then you should not be vulnerable.

Joel Cochran
http://www.rpgnext.com



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.