- Awstats awstats pl configdir install#
- Awstats awstats pl configdir update#
- Awstats awstats pl configdir software#
- Awstats awstats pl configdir code#
- Awstats awstats pl configdir windows#
Here’s how I have Apache set up, and the process I went through to get the missing days back into AWStats.
Awstats awstats pl configdir update#
Run the AWStats update tool, using AWStat’s logresolvemerge tool and other changed paramaters, to re-create the AWStats data file for that month.Copy the Apache logs with all of the stats for the month with the missing days to a temporary directory.Move the AWStats data files for months newer to a temporary directory.The AWStats Documentation (see FAQ-COM350 and FAQ-COM360) has some basic steps to fix the issue, outlined below:
Unfortunately, it’s a bit labor intensive, and depends on how you rotate your apache logs (if at all, which you should). I didn’t notice this until several days later, leading to a large gap in the stats for April. Cron is the absolutely necessary tool for getting the server to run things on a timed schedule.
Awstats awstats pl configdir software#
I reinstalled some software on our AWStats machine, and forgot to reinstall cron. Usually, as in my case, it’s because I messed up.
Awstats awstats pl configdir install#
But now (thanks Deb!), it appears to install some spyware.Sometimes AWStats will miss some days in calculating stats for your site, and that leaves a big hole in your records. Initially, we didn't see any malware installed by this site. It could be a cause of vigilante defacement, or maybe someones attempt to use anti-spam DDOS tools to DDOS the news site. We don't really know why this is happening. One fo the advertisement and one with content from the Al'Jazeera news site. Sadie Brinham notified us that the spamverised site 'redirects Spamvertised site redirected to Al'Jazeera Of course, for this to work you need to open the firewall for this traffic. Just run netcat -p 24212 -l (or replace 24212 with the port number of interest). To find out more, 'netcat' can be used to setup a quick listener. TCP traffic blocked at a firewall will typically not include any payload as all you should see is the SYN packet. Of payload from mystery traffic like this. Anybody got any idea what 23212/tcp could be used for? Maybe a recentīTW: As seen in the port 7162 example above, it is very helpful to get a bit Log excerpt he sent shows a few hits each minute from very different I didn't see it talk on port 7162.Īnother user reports that his router is rejecting port 23212 traffic. The application does communicate on numerous tcp ports. The packet dump captured during this test can be found here. To double check, I downloaded the latest version of Ares ('regular' version) and ran it for a short time. Similar traffic was reports in May of 2004 (on port 32624) and interpretedĪs P2P afterglow from a P2P application called 'Ares' (see the DShield GET sha1:3vIubshl4KdNlGzXw//cbRN6dsU= http/1.1
IMHO suspiciously like a P2P application, but we would like to know if anybodyĮlse sees it and what application uses this port. ?configdir=|echo%20 echo%20 id echo%20 echo|Įric Hughes submitted a packet he captured on port 7162. REQUEST_URI = /awstats/?configdir=|echo%20 echo%20 id echo%20 echo| REDIRECT_QUERY_STRING = configdir=|echo%20 echo%20 id echo%20 echo|?configdir=|echo%20 echo%20 id
Awstats awstats pl configdir windows#
HTTP_USER_AGENT = Mozilla/4.0 (compatible MSIE 6.0b Windows NT 5.0)
Awstats awstats pl configdir code#
HTTP_MOD_SECURITY_MESSAGE = Access denied with code 403. HTTP_HOST = HTTP_MOD_SECURITY_ACTION = 403 HTTP_ACCEPT = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,Īpplication/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*
Sid:1333 rev:1 classtype:web-application-attack )Īnd the captured request data (I removed some lines that may reveal too much about the attacked system): (msg:"WEB-ATTACKS id command attempt" flags:A+ content:"\ id" nocase This rule was derived from the following snort rule (line wrapped):Īlert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 The web hosting company attacked informed TheĪttacker defaced the respective website by replacing various 'index' files. This is helpful to find out if commands are executed as 'nobody', 'apache' or maybe even 'root' and allow the attacker to adjust a follow-up attack.Īnother reader reported an incident where this attack was succesful. 'id' is a command frequently executed by attackers, as it is ubiquitous across various Unix versions, and it will return details about the user executing the command. This rule will 'trigger' on all requests that contain the string ' id'. The following mod_security rule was used to detect the attempt: The traffic was flagged using mod_security.
We got a note from Ryan Barnet earlier, who detected an exploit attempt for this vulnerability. see ) detailed a vulnerability in the popular web statistics package 'AWStats'.
0 kommentar(er)
