> > Someone was able to install zbind on my machine using the following scripts. > > The damage was limited to www-data, a restricted user, and logs were able > > to monitor behaviour, but posed a large threat. > <snip> > > I notice that the attacker tried a number of different URLs. Is it > possible that there was a second version of awstats installed, aside > from the packaged version, and that that was vulnerable to the configdir > exploit?
He uses all of the following paths, with the indicated response code: /awstats/awstats.pl: 404 /cgi-bin/awstats.pl: 200 /cgi-bin/awstats/awstats.pl: 404 The second one appears to have been the one that succeeded, and that is indeed the location of the Debian-installed awstats script (assuming that there was no custom apache configuration or virtual hosts or user directories to modify cgi-bin). But I tend to agree with you that there may have been a custom installed script available at that location that was vulnerable. Charles -- To a substitute He gave a trial It took off Nothing But his smile Burma-Shave http://burma-shave.org/jingles/1945/to_a_substitute
signature.asc
Description: Digital signature
