[Dshield] Server

Stephane Grobety security at admin.fulgan.com
Fri Aug 19 07:44:07 GMT 2005


Hello Glenn,

Awstats is known to have several remotely exploitable vunerability and
it's a popular entry door into systems. I see such a scan twice a day
on web-serving machines.

I can't tell you if your machine really has been compromized from what
your saying: how are these folders being "accessed" ? What are you
looking at ? HTTP logs ? If so, check the return code: if it's 403 or
404, you should be fine. If it's 200, 50x or similar then you're
probably owned.

Good luck,
Stephane

Friday, August 19, 2005, 6:50:23 AM, you wrote:

GJ> I sent a contact us message through ISC a while back, but I suppose with 
GJ> all the activity lately they haven't had a chance
GJ> to respond. I'm seeing strange activity in my server logs that just 
GJ> isn't normal. Someone is accessing the awstats directory
GJ> on my server. I can confirm that access to that directory is restricted. 
GJ> In fact, if I use any of my browsers, I can't access
GJ> it, by http or ftp.
GJ> If I use my ftp client, I can of course access any directory on my 
GJ> server using the password. I can't understand why or
GJ> how anyone else has been able to gain access to the awstats/icons   
GJ> directory, or why they would even bother in the
GJ> first place.
GJ> Can anyone here offer some wisdom? I really don't wish to show the log 
GJ> here on a public list /forum.

GJ> Thanks in advance,
GJ> Glenn




-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com



More information about the list mailing list