Urgent warning - obviously new exploit

Faglork · #1 (**permalink**) 01-17-2006, 09:10 AM

Hello,

a warning for all: We are seeing right now numerous attempts to access files associated with various well-known and widely used programs. Obviously some exploits exist, notably around the XML-RPC interface. I suggest you visit the homepage/support forums of these programs to find out whether you need to take precautions. The files in question are:

Code:

[Mon Jan 16 21:34:58 2006] [error] [xxx] File does not exist: /web/awstats/awstats.pl.
[Mon Jan 16 21:34:59 2006] [error] [xxx] script not found or unable to stat: /u/httpd/cgi-bin/awstats.pl.
[Mon Jan 16 21:35:00 2006] [error] [xxx] script not found or unable to stat: /u/httpd/cgi-bin/awstats.
[Mon Jan 16 21:35:03 2006] [error] [xxx] File does not exist: /web/blog/xmlrpc.php.
[Mon Jan 16 21:35:04 2006] [error] [xxx] File does not exist: /web/blog/xmlsrv/xmlrpc.php.
[Mon Jan 16 21:35:05 2006] [error] [xxx] File does not exist: /web/blogs/xmlsrv/xmlrpc.php.
[Mon Jan 16 21:35:06 2006] [error] [xxx] File does not exist: /web/drupal/xmlrpc.php.
[Mon Jan 16 21:35:07 2006] [error] [xxx] File does not exist: /web/phpgroupware/xmlrpc.php.
[Mon Jan 16 21:35:08 2006] [error] [xxx] File does not exist: /web/wordpress/xmlrpc.php.
[Mon Jan 16 21:35:11 2006] [error] [xxx] File does not exist: /web/xmlrpc/xmlrpc.php.
[Mon Jan 16 21:35:12 2006] [error] [xxx] File does not exist: /web/xmlsrv/xmlrpc.php

hth,
faglork

ADAM Web Design · #2 (**permalink**) 01-17-2006, 03:55 PM

Good post (as always!)

This one oughta be stickied.

Syspira · #3 (**permalink**) 01-17-2006, 10:32 PM

I checked WordPress's site, since I have WP blogs on several of my own and my clients' sites. Any version prior to 1.5 is vulnerable, so people running WP should check what version they have and upgrade if necessary.

google junky · #4 (**permalink**) 01-18-2006, 09:19 AM

I have my site setup to email me if ever a visitor hits a 404 page.
I get requests for those files showing up almost everyday now.

Faglork · #5 (**permalink**) 01-18-2006, 09:50 AM

See
http://www.hardened-php.net/advisory_142005.66.html
http://isc.sans.org/diary.php?storyid=823
http://www.gulftech.org/?node=resear...00088-07022005
for details.

Obviously, the vulnerability has been known for some time.

faglork

google junky · #6 (**permalink**) 01-18-2006, 10:42 AM

I also get the info of where it comes from when I get the emails about the requested pages and where they are coming from.

Not sure if im allowed to post this. If a mod sees a problem with it then delete my post.

Quote:

Time of the error:

browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
Page Requested: xxx.xx.xxx.xx/blog/xmlsrv/xmlrpc.php

Referer:
IP Address: 216.127.92.9
Hostname: onicrom.com

Quote:

Time of the error:

browser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

Page Requested: xxx.xx.xxx.xx/xmlrpc.php

Referer:

IP Address: 62.154.176.138

Hostname: mail.icongmbh.de

that's just 2 of many requests for pages from these sites.
I have tried to send these sites an email about their site requesting these pages. I never get a reply.

sunnet · #7 (**permalink**) 01-30-2006, 06:32 AM

The entries being seen in the logs correspond to known attacks for known vulnerabilities in the AwStats perl Website Statistics software, and in the XML-RPC library included with PHP.

If you are not running a site which uses AwStats, and are not running a site which makes use of PHP's XML-RPC functionality at all (many CMS and blogging tools use it), then you have nothing to fear from these attacks.

If you do run a site which uses either of these features, then you should really consider moving the applications to non-standard installation points (i.e. changing the directories they live in from a default installation), and update to the latest versions of all your software (most packages which were vulnerable to these attacks have been updated for a while).

bodgekaloopie · #8 (**permalink**) 01-30-2006, 10:28 AM

Upon reading this post I promptly consulted with our hosting tech and was informed that the AWStats security holes apply to copies of AWStats that are installed as CGI scripts.

AWStats installations that are HTML based (which we use) are apparently not vulnerable to this threat.

Faglork · #9 (**permalink**) 01-30-2006, 11:31 AM

Quote:

Originally Posted by bodgekaloopie

Upon reading this post I promptly consulted with our hosting tech and was informed that the AWStats security holes apply to copies of AWStats that are installed as CGI scripts.

AWStats installations that are HTML based (which we use) are apparently not vulnerable to this threat.

HTML "based" ...? *something* has to do the work ;-)

Most likely it is command-line driven and run by a cron job, so you get only the generated HTML reports. Most stats packages are configured this way, since it makes no sense to let the users play around with the cgi interface ... too much server load.

Just wanted to clarify this.

A somewhat longer list of xml-rpc "victims" can be found at
http://secunia.com/search/?search=xml-rpc+php

Note that PHPAdsNew is in the list - it is a widely used adserver.

faglork

bodgekaloopie · #10 (**permalink**) 01-30-2006, 08:32 PM

The impression I got from our tech was that there are two versions, and what I posted ("HTML based") was quoted directly from him, but what you say makes absolute sense. Thanks for clarifying.