Re: Strange Apache log entry

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Sun, 22 Aug 2010, Gilbert Sebenste wrote:

> To: centos@xxxxxxxxxx
> From: Gilbert Sebenste <sebenste@xxxxxxxxxxxxxxxxxxxxx>
> Subject:  Strange Apache log entry
> 
> Hey everyone,
>
> Logwatch flagged something in my Apache logs, and it says it was a
> possible successful probe. Hmmm. Here's what it says:
>
>  --------------------- httpd Begin ------------------------
>
>  A total of 1 sites probed the server
>     66.249.137.70
>
>  A total of 2 possible successful probes were detected (the following URLs
>  contain strings that match one or more of a listing of strings that
>  indicate a possible exploit):
>
> 66.249.137.70 - - [21/Aug/2010:04:56:56 -0500] "GET /mystuff/?g=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 5231 "-" "libwww-perl/5.810"
> 66.249.137.70 - - [21/Aug/2010:04:56:56 -0500] "GET /?g=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 14169 "-" "libwww-perl/5.810"
>
> I didn't see anything on my server this morning, as I checked around it.
> Is this something to be concerned about? I'm fully patched (yum updated
> through this past week). Anybody else see this?

On my Fedora 12 server, searching for 'proc/self/environ' I 
found the following in my apache log files:

www.php-debuggers.net 66.179.32.5 - - [21/Aug/2010:18:56:10 
+0100] "GET /file.php?file
[]=../../../../../../../../../../../../../../../proc/self/environ%00 
HTTP/1.1" 404 352

They didn't get much though, except a 404 error message.

Kind Regards,

Keith Roberts

-----------------------------------------------------------------
Websites:
http://www.php-debuggers.net
http://www.karsites.net
http://www.raised-from-the-dead.org.uk

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux