Well, my primary box was cracked by a dipshit going after the recent awstats.pl bug.

It's the same thing that hit Russell the other day.

The bare bones stuff (blog/comments/inbound email) is working on my secondary box. But a lot more needs to be fixed.

Yeay for me having reasonably good backups!

Boo for the asshole who did it.

More later, but I need to sleep. It's 3.5 hours past when I planned to go to bed.

:-(

Posted by jzawodn at February 01, 2005 02:29 AM

Reader Comments
# Dan Isaacs said:

Bloody wanker. Thankfully I haven't updated much besides email in the past few days. And you have good backups online.

Just what you needed, eh?

on February 1, 2005 05:01 AM
# Russ said:


Oooooh! It was Awstats! S.O.B! Thanks Jeremy, that clears my mind tremendously.

Sorry you got hacked as well... what a pain in the ass.

-Russ

on February 1, 2005 06:08 AM
# Richard Rodger said:

Don't you guys have awstats password protected?

Well I'm going to update anyway just to be safe -thanks for the heads-up.

on February 1, 2005 07:01 AM
# Pooya Karimian said:

you mean even the mysql mirror?

on February 1, 2005 08:44 AM
# Jacques said:

Busy upgrading my awstats port under FreeBSD. Thanks for the warning.

on February 1, 2005 09:36 AM
# Charles said:

What's this about an awstats bug? I poked around and haven't found any info on any awstats exploits. I'm backing up my server and preparing to upgrade to any newer versions, but I don't see anything to indicate there was any security gap, or any solution.

on February 1, 2005 09:59 AM
# Mark Denovich said:

I got dinged by a Twiki exploit a month or two ago. Also a major pain. I guess they hadn't found my awstats.pl in the meantime (or mine is new enough) but I chmod -rwx'd it just to be safe.

If you are trying to clean up your box, check out http://www.rootkit.nl/projects/rootkit_hunter.html it does a good job of ferreting out all the booby traps left behind. Take note that modern rootkits compromise all the common diagnostic tools (ls, ps, lsof, etc...) which makes it hard to see what the hell is really going on.

on February 1, 2005 10:06 AM
# Charles said:

Ah, I found a reference to the exploit. I thought I'd post it just so everyone knows what is going on.

http://www.k-otik.com/exploits/20050124.awexpl.c.php

Looks like versions of awstats 6.2 and lower are vulnerable, v6.3 has the fix.

on February 1, 2005 10:42 AM
# Patrick Gibson said:

I've noticed that most web-based exploits work by executing commands that download, compile, and run files in /tmp. My question is why /tmp allows execution by default of most Unix distributions? I run FreeBSD on my servers, and have the noexec flag in /etc/fstab for the /tmp partition. While you shouldn't only rely on this, it does seem to resist most if not all of the PHP/Perl/web-based exploits in the recent past long enough to give me an opportunity to upgrade or fix whatever is causing the problem. When the recent phpBB exploit was announced, I noticed several attempts in my /tmp of people downloading source code or pre-compiled binaries, but none were successful.

The only time this has caused a problem for me is when I need to do a make world in FreeBSD. This is easily resolved by remounting /tmp without the noexec flag for the period during which I'm upgrading the system.

on February 1, 2005 10:43 AM
# Vitaliy said:

Patrick's suggestion is indeed a very nice and easy to implement line of defense against many script kiddies.

If you don't have /tmp in a separate partition and/or don't want to make a separate partition for it you can use a loopback device.

One place where I had problems with it is with "pear install APC" or most probably any other PECL package.

on February 1, 2005 12:34 PM
# Jeramey Jannene said:

It's obvious to me that they're going after Yahoo employees now. First Russ, now you. Yahoo.com is clearly the end goal, yep, clear as mud.

on February 1, 2005 12:54 PM
# Jesper said:
on February 1, 2005 12:54 PM
# Justin said:

Jesper,

Funny how these sites can index (with screen shots) right when the hack takes place. I hit Jeremy’s site like 20 sites a day via rss and did not even notice anything except last night when I was getting connection refused.

- Justin

on February 1, 2005 03:30 PM
# Ben Milleare said:

The reason they get the screenshot so quick is because the defacers report the crack straight away:

http://www.zone-h.org/en/defacements/notify

on February 2, 2005 07:04 AM
# Dom Ramsey said:

I assume you just haven't gotten around to fixing http://www.zawodny.com/ yet?

Thought I'd mention it, just in case you hadn't noticed it's still defaced. :(

on February 2, 2005 03:45 PM
# Jeremy Zawodny said:

Nope, been busy.

on February 2, 2005 04:12 PM
# Charles said:

I upgraded my server to the new awstats version, I even took some extra time to put in mod_rewrite gadgets to stop inline linking of pics, to stop people from leeching off my server. So I just wanted to drop you a thank-you note, Jeremy, your "Fun With mod_rewrite" tip was invaluable. I could never get mod_rewrite to work in .htaccess, I had no idea you could just put the directives into the Virtual Hosts section of httpd.conf until you mentioned it.

on February 2, 2005 10:38 PM
# Matt said:

well apperantly, thier not too smart. they hit my server a while back and i traced them to here:

#Infektion On Irc.GigaChat.net

they have thier own chat room on the irc.

on February 4, 2005 12:09 PM
# Justin Lundy said:

I wouldn't feel bad about this. The FBI just got 0wn3d today too:

FBI mail server gets 0wn3d

on February 4, 2005 03:45 PM
# said:

What a shame you were hit by this. I've been trying to make some noise about this possible after seeing the first hits on the 28th January. It seems the attackers are using a now standard technique of surfing google for pages that have a particular path in their url and then slamming them.

Unfotunately it took quite sometime before the problem was acknowledged and a new stable release produced by the awstats author (although various distros (debian, suse, gentoo) had fixed versions before the 28th).

Although it is obfuscation you may want to make sure that any pages that are taking user input that don't need to be indexed are protected by robots.txt or NOINDEX tags. It's not foolproof since if you link to it the page may still turn up but maybe you will turn up later buying you more time (of course the damage has already been done)...

on February 5, 2005 03:41 AM
# said:

Almost forgot, blocking outgoing IRC on the server, although extreme, may also buy you some time.

on February 5, 2005 03:43 AM
# smitedogg said:

My site got hit by the same exploit, by the same losers, but they also installed a rootkit on the server, so you might want to watch out for that :-/

on February 5, 2005 01:46 PM
# wood said:

the public exploit for Awstats does not require /tmp access, only for the bot version of the exploit. Please get your facts straight.

on February 5, 2005 04:00 PM
# Ravi said:

so does this mean..you did not have htacccess rule protecting directory with password?

on February 12, 2005 09:06 AM
# Jeremy Zawodny said:

Ravi: Yes.

I had not reason to hide my stats.

on February 12, 2005 12:53 PM
# Ravi said:

Hi,
btw there is one more awstats security hole making rounds..

and this time 6.3 is also vulnerable..

check this link for more info

http://securityfocus.com/archive/1/390368/2005-02-12/2005-02-18/0

Updating it to 6.4 development version is suggested...

Regards

on February 15, 2005 12:03 AM
# brainscan said:

haha owned.

on February 28, 2005 11:34 AM
# Picunk said:

Hello.
I have awstats 6.4 and I've been hacked today.

I think the problem is not awstats 6.4 comum to all accounts in CPanel, but I think one of the owner of the account has installed itself one awstats version below 6.3 and is doing this hack.

Is this possible? With the awstats.pl bugged file out there... we'll never rest, right? What can be done to stop this tremendous headhache?

Thank you

on April 15, 2006 12:05 PM
# said:

Hi Jeremy,

My website got hacked last week and completely dismantled. The yahoo techs won't help me. I can't even upload my back up because I was also somehow blocked out of ftp and wordpress. He did a lovely job. Even the Nice Yahoo tech I initially called couldn't get in through ftp. My problem is apparently Teddy R. someone who e-mailed me from yahoo tech support..thinks I need an attitude adjustment and the techs will not restore my website. He stated he could only see the communication where I was being rude. I don't understand because I didn't even use any profanity and the last 3 conversations to the 800 number have been fine because they were actually trying to help. Is it true tech support can't view everything.. only the transcriptions where I wasn't happy for being on hold for 40 minutes 3 times in the same day? Anyway, can you please tell me who I can speak to that will not use their position to blackball the restoration of my website due to their personal feelings that I deserve to pay my monthly fees for nothing? I am not a bad person.. I would just like to be able to get my site restored to the proper standards. Then if Teddy R. would like I can transfer all of my sites and domains to a different host. But I can't do anything until I can have access to my own site. I can't even upload files through the Yahoo Control panel. Is this a Yahoo hack? It sure seems like it. Even if you won't post this I would greatly appreciated contact info to get my restored.
Thanks.

on March 26, 2008 10:43 AM
# Kory Baker said:

Maybe publicizing my url on a Yahoo Techs Blog can finally help me to get YAHOO INC. to stop allowing their employees to commit FEDERAL OFFENSES upon me daily. Huh? What do you think? Do you think this will stop YAHOO CORPORATE who has visited my blog to stop turning a blind eye to the fact that dealing with their company has caused numerous murder attempt on my life as well as putting my young children through such a traumatic nightmare at such a young age?

KORY BAKER - ORANGEVALE, CALIFORNIA

on June 6, 2009 10:31 PM
# KORY BAKER said:

I forgot to add my url so everyone will know what I am referring to:

http://www.myspace.com/scarlett_letter_supermom

http://www.truecrimeblog.net

on June 6, 2009 10:43 PM
Disclaimer: The opinions expressed here are mine and mine alone. My current, past, or previous employers are not responsible for what I write here, the comments left by others, or the photos I may share. If you have questions, please contact me. Also, I am not a journalist or reporter. Don't "pitch" me.

 

Privacy: I do not share or publish the email addresses or IP addresses of anyone posting a comment here without consent. However, I do reserve the right to remove comments that are spammy, off-topic, or otherwise unsuitable based on my comment policy. In a few cases, I may leave spammy comments but remove any URLs they contain.