On Sun, 22 Aug 2010, Gilbert Sebenste wrote:
> To: centos@xxxxxxxxxx
> From: Gilbert Sebenste <sebenste@xxxxxxxxxxxxxxxxxxxxx>
> Subject: Strange Apache log entry
>
> Hey everyone,
>
> Logwatch flagged something in my Apache logs, and it says it was a
> possible successful probe. Hmmm. Here's what it says:
>
> --------------------- httpd Begin ------------------------
>
> A total of 1 sites probed the server
> 66.249.137.70
>
> A total of 2 possible successful probes were detected (the following URLs
> contain strings that match one or more of a listing of strings that
> indicate a possible exploit):
>
> 66.249.137.70 - - [21/Aug/2010:04:56:56 -0500] "GET /mystuff/?g=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 5231 "-" "libwww-perl/5.810"
> 66.249.137.70 - - [21/Aug/2010:04:56:56 -0500] "GET /?g=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 14169 "-" "libwww-perl/5.810"
>
> I didn't see anything on my server this morning, as I checked around it.
> Is this something to be concerned about? I'm fully patched (yum updated
> through this past week). Anybody else see this?
On my Fedora 12 server, searching for 'proc/self/environ' I
found the following in my apache log files:
www.php-debuggers.net 66.179.32.5 - - [21/Aug/2010:18:56:10
+0100] "GET /file.php?file
[]=../../../../../../../../../../../../../../../proc/self/environ%00
HTTP/1.1" 404 352
They didn't get much though, except a 404 error message.
Kind Regards,
Keith Roberts
-----------------------------------------------------------------
Websites:
http://www.php-debuggers.net
http://www.karsites.net
http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
