Web Stats Software Vulnerability Leads to Attacks
Web sites using an older version of AWStats, a popular tool for generating Web statistics, are being compromised by a flaw in the application that allows the execution of arbitrary commands on a server.A leading anti-virus and security company has advised users of a popular Web stats logging application to update to the latest version of the software after seeing an increasing number of attempts to use a known bug to compromise servers. In a posting on the Viruslist.com Weblog on Tuesday, virus analysts from Kaspersky Lab warned that they had seen "vast numbers" of sites compromised using a vulnerability in AWStats, a free tool for generating graphical statistics for Web sites. The vulnerability, which affects versions of AWStats up to and including 6.2, allows the execution of arbitrary commands on a server, effectively giving malicious hackers complete control over the machine.
One of the sites compromised by the issue was PhpBB.com, home of the popular Web forum software PhpBB. A group apparently from Brazil and calling itself "The Simians Crew" used the vulnerability to deface the PhpBB site with political messages, including a picture of U.S. President George W. Bushs head superimposed on the body of a monkey.