and open source anti-viral programs like ClamAV now have signature files for the worm.
Given that the list includes most major Linux 2.4 and 2.6 distributions, it can be presumed that any Linux running an application that employs one of the vulnerable programs may be at risk.Īccording to the Internet Storm Center, this worm is operating in the wild on the Internet.Īll the major anti-virus vendors, including Symantec Corp., McAfee Inc., and Computer Associates International Inc.
#Awstats 6.4 full
A Full Path Disclosure vulnerability in AWStats through 7.6 allows remote attackers to know where the config file is allocated.
#Awstats 6.4 code
Symantec also reported that many major Linux distributions, including Red Hat, SUSE and Turbolinux, can be impacted by this worm. The web interface for AWStats 6.4 and 6.5, when statistics updates are enabled, allows remote attackers to execute arbitrary code via shell metacharacters in the migrate parameter. Indeed, Symantecs Deepsight Alert Services recommends that, “Due to the ability of the remote user to perform so many different actions on the server computer, including installation of applications, it is highly recommended that compromised computers be completely reinstalled.” AWStats (Advanced Web Statistics) is a powerful, full-featured web server logfile analyzer which shows you all your Web statistics including: visitors, pages, hits, hours, search engines, keywords used to find your site, broken links. The more significant problem is what the attacker may have downloaded to the server while it was active. One need only delete the file: /tmp/lupii. It uses these, via the default Web server port, 80, in an attempt to find and infect other vulnerable systems. Once in place, Plupii generates a variety of URLs. This enables an attacker to gain unauthorized access to the compromised system. Next, it opens a back door through one or the other of these ports. Which port it attacks appears to be hard-wired into the worm and thus represents two different versions of the same worm. When Plupii is successful in infecting a server, it then sends a notification message to an attacker at a remote IP address via UDP port 7222 or 7111. There is, at this time, no known fix for the program. Versions 6.4, which came out in March, and higher are immune.įinally, Webhints is an older script program thats designed to set up and maintain a “Hint (Quote/Tip/Joke/Whatever) of the Day” page. Only servers which run AWStats 5.0 to 6.3 can be attacked. There are now fixes available for this hole for most systems.ĪWStats is a popular, open-source log-file analyzer. The XML-RPC hole commonly exists in blogging and Wiki programs. The three vulnerabilities it attacks through are the XML-RPC for PHP Remote Code Injection vulnerability the AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability and the Darryl Burgdorf Webhints Remote Command Execution Vulnerability. It attempts to use three different Web-service security holes in its attempts to infect Linux-based systems that are running the vulnerable services. This worm, also known as Linux/Lupper.worm or luppi, is a blended threat. Over the last few days, a new worm, Linux.Plupii, which attacks Linux systems via Web-server related services, has made its appearance. We may make money when you click on links to our partners. For example, the “Visits by Server Time” table reveals that there were 15089 unique visitors on Jan 27.EWEEK content and product recommendations are editorially independent. Question 1: Could you suggest some reason why this may have happened?Īdditionally, I am puzzled by the analysis produced for Jan 27 and Jan 29, where the Dashboard graph shows 0 unique visitors, while, in fact, there have been recorded (by piwik) unique visitors.
Indeed, reports for these dates are empty. I have been unable to relate these issues to any specific events. You can see that on Feb 6 and Feb 9, for some reason, something went wrong and stats were not produced. logrorate with prerotate script) seems to be working well, except that in some cases piwik does not seem to complete the analysis. Note: I am now running Piwik 2.0.3 on CentOS 6.5 (on a professionally hosted virtual machine, hosting a website under NGINX / mysql / php-fpm).
0 kommentar(er)
