AWStats configdir exec

Unanswered Question
Jul 28th, 2008
User Badges:

In the past week, I have received a plethera of alerts with this High Level title. After blacklisting the host IP it is back with a different one. I am starting to get concerned because the first IP address that was blacklisted was a hacker.


Can someone tell me if this is a false positive or not?


Or, what is actually setting this sensor off?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Mon, 07/28/2008 - 09:46
User Badges:
  • Blue, 1500 points or more

That signatures fires on a match of an attempt to call the awstats.pl cgi script with a parameter of configdir and a parameter value containing a ";" or "|". It seems pretty unlikely to be a false positive in the sense that it is probably not legitimate traffic. It isn't necessarily a hacker targeting your systems...it may just be a worm or script that scans the Internets looking for vulnerable systems.


Do you use awstats?

shiznitide Tue, 07/29/2008 - 04:04
User Badges:

Not really sure. I don't use it myself but honestly someone inside the network could be. I just get the alerts, do the research, pass-on advice, etc...Thanks for the help.

Actions

This Discussion