Re: Hack?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Dec 13, 2011 at 10:33 PM, Knute Johnson <apache@xxxxxxxxxxxxxxxx> wrote:
On 12/13/2011 7:12 PM, Yehuda Katz wrote:
On Tue, Dec 13, 2011 at 9:50 PM, Knute Johnson <apache@xxxxxxxxxxxxxxxx
<mailto:apache@knutejohnson.com>> wrote:

   This showed up in my log today on a Ubuntu server with Apache 2.2.17.
       /?file=../../../../../../proc/__self/environ%00 HTTP Response 200
       /?mod=../../../../../../proc/__self/environ%00 HTTP Response 200
       /?page=../../../../../../proc/__self/environ%00 HTTP Response 200

Thanks.  Is there some kind of application that stores data at these locations normally?
Linux. Or more specifically, it looks like it might be trying to attack a known vulnerability in the Linux Kernel.
See http://lwn.net/Articles/191954/ for more on that.

Explanation:
Let's say your web application loads files based on the (file/mod/page) query string value from the folder /srv/www/htdocs/pages/ with the extension .myfile
The attacker's request for
../../../../../../proc/__self/environ%00
will be view by your application as
/srv/www/htdocs/pages/../../../../../../proc/__self/environ%00.myfile
which the application will likely interpret as just
/proc/__self/environ

Lately I've been getting a bunch of requests for null files, hundreds of them.
You might want to look into using a program like Fail2Ban (www.fail2ban.org) or some other log parser to block them from hitting your server. 
The documentation for fail2ban is not incredible, but their support mailing list is usually responsive.

- Y
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux