Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AWStats configdir exec

In the past week, I have received a plethera of alerts with this High Level title. After blacklisting the host IP it is back with a different one. I am starting to get concerned because the first IP address that was blacklisted was a hacker.

Can someone tell me if this is a false positive or not?

Or, what is actually setting this sensor off?

2 REPLIES
Gold

Re: AWStats configdir exec

That signatures fires on a match of an attempt to call the awstats.pl cgi script with a parameter of configdir and a parameter value containing a ";" or "|". It seems pretty unlikely to be a false positive in the sense that it is probably not legitimate traffic. It isn't necessarily a hacker targeting your systems...it may just be a worm or script that scans the Internets looking for vulnerable systems.

Do you use awstats?

New Member

Re: AWStats configdir exec

Not really sure. I don't use it myself but honestly someone inside the network could be. I just get the alerts, do the research, pass-on advice, etc...Thanks for the help.

301
Views
0
Helpful
2
Replies