On Sun, 22 Aug 2010, Gilbert Sebenste wrote:
To: centos@centos.org From: Gilbert Sebenste sebenste@weather.admin.niu.edu Subject: [CentOS] Strange Apache log entry
Hey everyone,
Logwatch flagged something in my Apache logs, and it says it was a possible successful probe. Hmmm. Here's what it says:
--------------------- httpd Begin ------------------------
A total of 1 sites probed the server 66.249.137.70
A total of 2 possible successful probes were detected (the following URLs contain strings that match one or more of a listing of strings that indicate a possible exploit):
66.249.137.70 - - [21/Aug/2010:04:56:56 -0500] "GET /mystuff/?g=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 5231 "-" "libwww-perl/5.810" 66.249.137.70 - - [21/Aug/2010:04:56:56 -0500] "GET /?g=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 14169 "-" "libwww-perl/5.810"
I didn't see anything on my server this morning, as I checked around it. Is this something to be concerned about? I'm fully patched (yum updated through this past week). Anybody else see this?
On my Fedora 12 server, searching for 'proc/self/environ' I found the following in my apache log files:
www.php-debuggers.net 66.179.32.5 - - [21/Aug/2010:18:56:10 +0100] "GET /file.php?file []=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 404 352
They didn't get much though, except a 404 error message.
Kind Regards,
Keith Roberts
----------------------------------------------------------------- Websites: http://www.php-debuggers.net http://www.karsites.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------