Hello Jim, As stated in bug #491200 I'm packaging the latest version of webalizer but I didn't get it uploaded yet.
On Mon, Apr 18, 2011 at 02:05:27PM -0400, Jim Salter wrote:
> Package: webalizer
> Followup-For: Bug #622897
>
>
> Moritz, I believe that the initial attack was through webalizer because
> the path /var/www/.webalizer contained php injections which gave the
^-- with a dot
> attackers their initial shell, which was first used to host a phishing
> form which was also under /var/www/webalizer - whereas the production
^-- or no dot ?
> site on the host was under /[redacted]/[redacted], under which no files
> were added, removed, or modified.
>
The /var/www/webalizer directory is filled by webalizer, however,
webalizer is not a webapp written in php so I don't see how php could
compromise webalizer.
> I'm not sure what you mean by "recent years"; but my own research showed
> a widely-exploited security bug in Webalizer in 2009 which I sincerely
> hope was either fixed by the upstream maintainers, or at least patched
> in Debian's repos. If it's that bug... well, dear lord, please let's
> get that patched, it's been two years already? =)
>
> Ref:
> http://news.softpedia.com/news/Webalizer-Bug-Possibly-Leading-to-Mass-Web-Compromise-119983.shtml
Your reference does not really explain the exploit, following the link
on "warns" [1] I ended up on [2] witch dates back to 2002 (not 2009).
1:
http://threatcenter.blogspot.com/2009/08/mass-compromise-of-sites-with-webalizer.html
2: http://linuxdevcenter.com/pub/a/linux/2002/04/16/insecurities.html
Looking in webalizer changelog:
| 2.01-xx changes from 1.30-04
| [...]
| o Fix posible obscure buffer overflow bug in DNS resolver code
That could be the fix for the 2002 bug, however lenny's webalizer
version is 2.01.10-32.4 so it uses webalizer 2.01-10 which already
include this fix.
See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=143019
To get it patched, I guess we need a little more information on how
exactly you got attacked. Unless you had a pretty old version, it's not
the same bug.
Also did you have the reverse dns feature enabled (in the webalizer
configuration that outputs to /var/www/webalizer) ? As it's off by
default.
>
> ... or at LEAST let's fix the installation process so that it doesn't
> silently expose itself on the default site.
Well once I'll got the version uploaded with the latest upstream code, I
plan to look at the configuration parts, so I'll look at that too.
>
> I still use webalizer on some very high-traffic sites because I don't
> know of any other packages which can scale linearly to handle VERY high
> levels of traffic - one client of mine generates about 40G of Apache
> logs per day on app servers alone; webalizer's the only thing I know of
> that can handle that volume.
So help us identify that bug ! :)
Best Regards,
Julien VdG
--
Julien Viard de Galbert <[email protected]>
http://silicone.homelinux.org/ <[email protected]>
GPG Key ID: D00E52B6 Published on: hkp://keys.gnupg.net
Key Fingerprint: E312 A31D BEC3 74CC C49E 6D69 8B30 6538 D00E 52B6
signature.asc
Description: Digital signature

