Comment spam isn’t the only thing that bloggers need to worry about. Apparently a bug in a popular log file analysis program has been exploited by attackers, who were then able to deface a popular blog and other Web sites.
Blogger Jeremy Zawodny reported on his blog late Tuesday that his primary server had been hacked.
Blogger Russell Beattie also noted the results of discovering a break-in on his blog.
The attackers of the Zawodny site also submitted their defacement to a site that tracks such exploits. In this case, “Infecktion Group” claimed credit and posted screenshots of the defacements across four different subdomains attached to Zawodny.com (including family, twiki, textfiles, debian and Jeremy.zawodny.com). The defacement included a picture of a crying child with the caption, “This is my protest, this is my scream…you cannot close your eyes. The world have big problems and you wanna be more one?” [sic]
Over the last three days the same group has reported over 400 such defacements, though it is unclear how many are blogs and whether the same attack vector was utilized. In the Zawodny.com case, the attackers were apparently able to comprise the system by exploiting the AWstats Web log file analysis system used on his server.
The exploit is known as the “AWStats ‘configdir’ Remote Command Execution Exploit” and was publicly disclosed on January 17th, by security firm iDefense. According to the iDefense advisory, remote exploitation of an input validation vulnerability in AWStats allows attackers to execute arbitrary commands under the privileges of the Web server. Once exploited, the remote attacker can execute arbitrary commands, as evidenced by the defacement perpetrated by the hacker group.
The AWstats project released version 6.3 on January 28th, which apparently fixed the flaw, though previous versions are all still at risk.