Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

awstats hack

Discussion in 'General Discussion' started by wptechno, Jul 28, 2005.

  1. wptechno

    wptechno Active Member

    Joined:
    Jun 10, 2004
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    156
    Hi,

    Supposedly my admin says my box had just been compromised last week by someone who used awstats urls to perform a denial of service attack or something of that nature. Does anyone know anything about this security hole in awstats? If so, let me know if there is an update or something I can do to fix it cuz I had to disable it and my clients sure don't like that. Should I submit a support ticket or is this common knowledge?

    thanks,
    Ben
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    22
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Unlikely, since the hacker would have to be logged in to a cPanel account to be able to run the awstats.pl script. It's most likely that if you were compromised, it was through some other route.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. tanfwc

    tanfwc Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    156
    I had this problem too last week. Anyone can verify?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    22
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Verify what?

    I can verify that you cannot run awstats.pl without a valid cPanel login.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. tanfwc

    tanfwc Well-Known Member

    Joined:
    Mar 12, 2004
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    156
    Oh well. Thank chirpy
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. wptechno

    wptechno Active Member

    Joined:
    Jun 10, 2004
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    156
    ok. well so say it is an inside job. How would I be able to find out who did this? Also, is there an update to awstats so a user can't do this again?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    22
    Trophy Points:
    463
    Location:
    Go on, have a guess
    It wouldn't really matter. If someone has the cPanel username and password, they're in your account anyway, which makes any issue that awstats.pl might have moot.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. AlexF

    AlexF Well-Known Member

    Joined:
    Nov 20, 2003
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    166
    Chirpy,

    Perhaps they are using the following code to view Awstats outside cPanel.

    Unfortunately, I don't know didly about PHP, so I'm not sure if the script is secure. Could this be the culprit?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Andrew87

    Andrew87 Member

    Joined:
    May 14, 2005
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    151

    Wasn't phpbb.com brought down by some sort of awstats vulnerability?
     
  10. gpreston

    gpreston Well-Known Member

    Joined:
    Jan 31, 2004
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    156
    Location:
    West Chester, PA
    That's what they said, but who knows if their Awstats is accessible to anyone or if it was hidden behind a cPanel login like ours would be.
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    22
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Could be, using such scripts are indeed an open invitation to be hacked.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    22
    Trophy Points:
    463
    Location:
    Go on, have a guess
    IIRC, yes. But, AFAIK, that had nothing to do with cPanel at all, they just had a publicly executable awstats.pl.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. AlexF

    AlexF Well-Known Member

    Joined:
    Nov 20, 2003
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    166
    I actually use this script for a customer who requested access to their stats outside of cPanel. Although I have .htaccessed the directory, so perhaps it is secure. But since I'm not sure, I'll probably scrap it.. Your thoughts on this would be appreciated.

    Thanks,
    Alexander Fernandez
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    22
    Trophy Points:
    463
    Location:
    Go on, have a guess
    Having it behind a .htaccess will help. The problem is this, though, (apart from it being awstats):
    Code:
    $user = 'username';//your cpanel username
    $pass = 'password';//your cpanel password
    You only need an exploitable php script on the site (and potentially anywhere on your server) and a hacker will have easy access to your cPanel password.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. AlexF

    AlexF Well-Known Member

    Joined:
    Nov 20, 2003
    Messages:
    148
    Likes Received:
    0
    Trophy Points:
    166
    Definately have a point there, Chripy. Thanks for the opinion!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. henker

    henker Well-Known Member

    Joined:
    May 1, 2003
    Messages:
    60
    Likes Received:
    0
    Trophy Points:
    231
    Location:
    Ireland
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. ttremain

    ttremain Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    216
    Likes Received:
    0
    Trophy Points:
    166
    cPanel Access Level:
    Root Administrator
    Looking at this same vulnerability..
    http://www.idefense.com/application/poi/display?id=290&type=vulnerabilities&flashstatus=true

    The vulnerability allows someone to run a command as the awstats user... Would that user be 'cpanel' ?

    If so, a malicious account holder, or someone who has managed to hack an account, could
    cause trouble outside of the account with this.

    By default, are any urlplugins installed?
    Is awstats 6.5 expected to be included soon?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,483
    Likes Received:
    31
    Trophy Points:
    158
    cPanel Access Level:
    DataCenter Provider
    We don't enable url plugins so this won't be a problem.
     
  19. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,460
    Likes Received:
    22
    Trophy Points:
    463
    Location:
    Go on, have a guess
    AIUI, scripts are run in the context of the user account, so it would only have implications (of which there aren't any as Nick has clarified) for that cPanel account anyway.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. ttremain

    ttremain Well-Known Member

    Joined:
    Feb 16, 2003
    Messages:
    216
    Likes Received:
    0
    Trophy Points:
    166
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice