The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

awstats hack

Discussion in 'General Discussion' started by wptechno, Jul 28, 2005.

  1. wptechno

    wptechno Active Member

    Joined:
    Jun 10, 2004
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Hi,

    Supposedly my admin says my box had just been compromised last week by someone who used awstats urls to perform a denial of service attack or something of that nature. Does anyone know anything about this security hole in awstats? If so, let me know if there is an update or something I can do to fix it cuz I had to disable it and my clients sure don't like that. Should I submit a support ticket or is this common knowledge?

    thanks,
    Ben
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Unlikely, since the hacker would have to be logged in to a cPanel account to be able to run the awstats.pl script. It's most likely that if you were compromised, it was through some other route.
     
  3. tanfwc

    tanfwc Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    I had this problem too last week. Anyone can verify?
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Verify what?

    I can verify that you cannot run awstats.pl without a valid cPanel login.
     
  5. tanfwc

    tanfwc Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    Oh well. Thank chirpy
     
  6. wptechno

    wptechno Active Member

    Joined:
    Jun 10, 2004
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    ok. well so say it is an inside job. How would I be able to find out who did this? Also, is there an update to awstats so a user can't do this again?
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It wouldn't really matter. If someone has the cPanel username and password, they're in your account anyway, which makes any issue that awstats.pl might have moot.
     
  8. AlexF

    AlexF Well-Known Member

    Joined:
    Nov 20, 2003
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    Chirpy,

    Perhaps they are using the following code to view Awstats outside cPanel.

    Unfortunately, I don't know didly about PHP, so I'm not sure if the script is secure. Could this be the culprit?
     
  9. Andrew87

    Andrew87 Member

    Joined:
    May 14, 2005
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1

    Wasn't phpbb.com brought down by some sort of awstats vulnerability?
     
  10. gpreston

    gpreston Well-Known Member

    Joined:
    Jan 31, 2004
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    West Chester, PA
    That's what they said, but who knows if their Awstats is accessible to anyone or if it was hidden behind a cPanel login like ours would be.
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Could be, using such scripts are indeed an open invitation to be hacked.
     
  12. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    IIRC, yes. But, AFAIK, that had nothing to do with cPanel at all, they just had a publicly executable awstats.pl.
     
  13. AlexF

    AlexF Well-Known Member

    Joined:
    Nov 20, 2003
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    I actually use this script for a customer who requested access to their stats outside of cPanel. Although I have .htaccessed the directory, so perhaps it is secure. But since I'm not sure, I'll probably scrap it.. Your thoughts on this would be appreciated.

    Thanks,
    Alexander Fernandez
     
  14. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Having it behind a .htaccess will help. The problem is this, though, (apart from it being awstats):
    Code:
    $user = 'username';//your cpanel username
    $pass = 'password';//your cpanel password
    You only need an exploitable php script on the site (and potentially anywhere on your server) and a hacker will have easy access to your cPanel password.
     
  15. AlexF

    AlexF Well-Known Member

    Joined:
    Nov 20, 2003
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    16
    Definately have a point there, Chripy. Thanks for the opinion!
     
  16. henker

    henker Well-Known Member

    Joined:
    May 1, 2003
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    6
  17. ttremain

    ttremain Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Looking at this same vulnerability..
    http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities&flashstatus=true

    The vulnerability allows someone to run a command as the awstats user... Would that user be 'cpanel' ?

    If so, a malicious account holder, or someone who has managed to hack an account, could
    cause trouble outside of the account with this.

    By default, are any urlplugins installed?
    Is awstats 6.5 expected to be included soon?
     
  18. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    We don't enable url plugins so this won't be a problem.
     
  19. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    AIUI, scripts are run in the context of the user account, so it would only have implications (of which there aren't any as Nick has clarified) for that cPanel account anyway.
     
  20. ttremain

    ttremain Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
Loading...

Share This Page