#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; content:"/awstats.pl?"; nocase; http_uri; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system)/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; reference:url,doc.emergingthreats.net/2001686; classtype:web-application-attack; sid:2001686; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2018-09-13 19:37:34 UTC
Added 2018-09-13 17:52:36 UTC
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; content:"/awstats.pl?"; nocase; http_uri; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system)/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; reference:url,doc.emergingthreats.net/2001686; classtype:web-application-attack; sid:2001686; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2017-08-07 20:55:38 UTC
#alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; content:"/awstats.pl?"; nocase; http_uri; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system)/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; reference:url,doc.emergingthreats.net/2001686; classtype:web-application-attack; sid:2001686; rev:17;)
Added 2017-05-11 17:17:12 UTC
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; content:"/awstats.pl?"; nocase; http_uri; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system)/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; reference:url,doc.emergingthreats.net/2001686; classtype:web-application-attack; sid:2001686; rev:16;)
Added 2012-09-28 00:08:29 UTC
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; content:"/awstats.pl?"; nocase; http_uri; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; reference:url,doc.emergingthreats.net/2001686; classtype:web-application-attack; sid:2001686; rev:15;)
Added 2011-10-12 19:10:48 UTC
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; content:"/awstats.pl?"; nocase; http_uri; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; classtype: web-application-attack; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; reference:url,doc.emergingthreats.net/2001686; sid:2001686; rev:15;)
Added 2011-09-14 21:02:55 UTC
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; content:"/awstats.pl?"; nocase; http_uri; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; classtype: web-application-attack; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; reference:url,doc.emergingthreats.net/2001686; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Awstats; sid:2001686; rev:15;)
Added 2011-02-04 17:21:34 UTC
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/awstats.pl?"; nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2001686; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Awstats; sid:2001686; rev:14;)
Added 2010-06-28 22:47:00 UTC
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/awstats.pl?"; nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2001686; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Awstats; sid:2001686; rev:14;)
Added 2010-06-28 22:47:00 UTC
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/awstats.pl?"; nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2001686; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Awstats; sid: 2001686; rev:14;)
Added 2010-01-07 14:15:42 UTC
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/awstats.pl?"; nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; classtype: web-application-attack; reference:url,doc.emergingthreats.net/2001686; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/WEB_SPECIFIC_APPS/WEB_Awstats; sid: 2001686; rev:14;)
Added 2010-01-07 14:15:42 UTC
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/awstats.pl?"; nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; classtype: web-application-attack; sid: 2001686; rev:13;)
Added 2010-01-07 13:30:45 UTC
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/awstats.pl?"; nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; classtype: web-application-attack; sid: 2001686; rev:13;)
Added 2010-01-07 13:30:45 UTC
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "ET EXPLOIT Awstats Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/awstats.pl?"; nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; classtype: web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2001686; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_awstats_remote_exec; sid: 2001686; rev:13;)
Added 2009-02-07 22:00:26 UTC
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "ET EXPLOIT Awstats Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/awstats.pl?"; nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; classtype: web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2001686; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_awstats_remote_exec; sid: 2001686; rev:13;)
Added 2009-02-07 22:00:26 UTC
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "ET EXPLOIT Awstats Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/awstats.pl?"; nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; classtype: web-application-attack; sid: 2001686; rev:12;)
Added 2008-01-25 10:56:38 UTC
sample:
GET /cgi-bin/awstats/awstats.pl?configdir=|echo;id;echo| HTTP/1.0..
--
RussellFulton - 27 Nov 2008
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "ET EXPLOIT Awstats Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/awstats.pl?"; nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; classtype: web-application-attack; sid: 2001686; rev:12;)
Added 2008-01-25 10:56:38 UTC
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Awstats Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/awstats.pl?"; nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; classtype: web-application-attack; sid: 2001686; rev:11; )