[CentOS] Strange Apache log entry

Sun Aug 22 18:40:26 UTC 2010
Keith Roberts <keith at karsites.net>

On Sun, 22 Aug 2010, Gilbert Sebenste wrote:

> To: centos at centos.org
> From: Gilbert Sebenste <sebenste at weather.admin.niu.edu>
> Subject: [CentOS] Strange Apache log entry
> 
> Hey everyone,
>
> Logwatch flagged something in my Apache logs, and it says it was a
> possible successful probe. Hmmm. Here's what it says:
>
>  --------------------- httpd Begin ------------------------
>
>  A total of 1 sites probed the server
>     66.249.137.70
>
>  A total of 2 possible successful probes were detected (the following URLs
>  contain strings that match one or more of a listing of strings that
>  indicate a possible exploit):
>
> 66.249.137.70 - - [21/Aug/2010:04:56:56 -0500] "GET /mystuff/?g=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 5231 "-" "libwww-perl/5.810"
> 66.249.137.70 - - [21/Aug/2010:04:56:56 -0500] "GET /?g=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 14169 "-" "libwww-perl/5.810"
>
> I didn't see anything on my server this morning, as I checked around it.
> Is this something to be concerned about? I'm fully patched (yum updated
> through this past week). Anybody else see this?

On my Fedora 12 server, searching for 'proc/self/environ' I 
found the following in my apache log files:

www.php-debuggers.net 66.179.32.5 - - [21/Aug/2010:18:56:10 
+0100] "GET /file.php?file
[]=../../../../../../../../../../../../../../../proc/self/environ%00 
HTTP/1.1" 404 352

They didn't get much though, except a 404 error message.

Kind Regards,

Keith Roberts

-----------------------------------------------------------------
Websites:
http://www.php-debuggers.net
http://www.karsites.net
http://www.raised-from-the-dead.org.uk

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------