[CentOS] Strange Apache log entry
Eero Volotinen
eero.volotinen at iki.fi
Sun Aug 22 14:05:32 UTC 2010
2010/8/22 Gilbert Sebenste <sebenste at weather.admin.niu.edu>:
> Hey everyone,
>
> Logwatch flagged something in my Apache logs, and it says it was a
> possible successful probe. Hmmm. Here's what it says:
>
> --------------------- httpd Begin ------------------------
>
> A total of 1 sites probed the server
> 66.249.137.70
>
> A total of 2 possible successful probes were detected (the following URLs
> contain strings that match one or more of a listing of strings that
> indicate a possible exploit):
>
> 66.249.137.70 - - [21/Aug/2010:04:56:56 -0500] "GET /mystuff/?g=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 5231 "-" "libwww-perl/5.810"
> 66.249.137.70 - - [21/Aug/2010:04:56:56 -0500] "GET /?g=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 14169 "-" "libwww-perl/5.810"
>
> I didn't see anything on my server this morning, as I checked around it.
> Is this something to be concerned about? I'm fully patched (yum updated
> through this past week). Anybody else see this?
I think this is a bit antique attack:
http://foro.undersecurity.net/read.php?15,3768
--
Eero
More information about the CentOS
mailing list