Re: Hack?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 12/13/2011 7:57 PM, Yehuda Katz wrote:

On Tue, Dec 13, 2011 at 10:33 PM, Knute Johnson <apache@xxxxxxxxxxxxxxxx
<mailto:apache@xxxxxxxxxxxxxxxx>> wrote:

    On 12/13/2011 7:12 PM, Yehuda Katz wrote:

        On Tue, Dec 13, 2011 at 9:50 PM, Knute Johnson
        <apache@xxxxxxxxxxxxxxxx <mailto:apache@xxxxxxxxxxxxxxxx>
        <mailto:apache@knutejohnson.__com
        <mailto:apache@xxxxxxxxxxxxxxxx>>> wrote:

            This showed up in my log today on a Ubuntu server with
        Apache 2.2.17.
                /?file=../../../../../../proc/____self/environ%00 HTTP
        Response 200
                /?mod=../../../../../../proc/____self/environ%00 HTTP
        Response 200
                /?page=../../../../../../proc/____self/environ%00 HTTP
        Response 200

    Thanks.  Is there some kind of application that stores data at these
    locations normally?

Linux. Or more specifically, it looks like it might be trying to attack
a known vulnerability in the Linux Kernel.
See http://lwn.net/Articles/191954/ for more on that.

Explanation:
Let's say your web application loads files based on the (file/mod/page)
query string value from the folder /srv/www/htdocs/pages/ with the
extension .myfile
The attacker's request for

    ../../../../../../proc/__self/environ%00

will be view by your application as

    /srv/www/htdocs/pages/../../../../../../proc/__self/environ%00.myfile

which the application will likely interpret as just

    /proc/__self/environ


    Lately I've been getting a bunch of requests for null files,
    hundreds of them.

You might want to look into using a program like Fail2Ban
(www.fail2ban.org <http://www.fail2ban.org>) or some other log parser to
block them from hitting your server.
The documentation for fail2ban is not incredible, but their support
mailing list is usually responsive.

- Y


Thanks very much.

--

knute...

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux