<snip> > > > I got that part. What I am trying to understand (please bear with me) is > how the attacker might have modified the script command line. By just requesting http://site/cgi-bin/awstats.pl?onfigdir=....bad stuff....