Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
32985
Views
0
Helpful
2
Replies

AWStats configdir exec

shiznitide
Level 1
Level 1

‎07-28-2008 05:53 AM - edited ‎03-10-2019 04:13 AM

In the past week, I have received a plethera of alerts with this High Level title. After blacklisting the host IP it is back with a different one. I am starting to get concerned because the first IP address that was blacklisted was a hacker.

Can someone tell me if this is a false positive or not?

Or, what is actually setting this sensor off?

Labels:
0 Helpful
2 Replies 2

mhellman
Level 7
Level 7

‎07-28-2008 09:46 AM

That signatures fires on a match of an attempt to call the awstats.pl cgi script with a parameter of configdir and a parameter value containing a ";" or "|". It seems pretty unlikely to be a false positive in the sense that it is probably not legitimate traffic. It isn't necessarily a hacker targeting your systems...it may just be a worm or script that scans the Internets looking for vulnerable systems.

Do you use awstats?

0 Helpful

shiznitide
Level 1
Level 1
In response to mhellman

‎07-29-2008 04:04 AM

Not really sure. I don't use it myself but honestly someone inside the network could be. I just get the alerts, do the research, pass-on advice, etc...Thanks for the help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card