On Sun, 22 Aug 2010, Gilbert Sebenste wrote: > To: centos at centos.org > From: Gilbert Sebenste <sebenste at weather.admin.niu.edu> > Subject: [CentOS] Strange Apache log entry > > Hey everyone, > > Logwatch flagged something in my Apache logs, and it says it was a > possible successful probe. Hmmm. Here's what it says: > > --------------------- httpd Begin ------------------------ > > A total of 1 sites probed the server > 66.249.137.70 > > A total of 2 possible successful probes were detected (the following URLs > contain strings that match one or more of a listing of strings that > indicate a possible exploit): > > 66.249.137.70 - - [21/Aug/2010:04:56:56 -0500] "GET /mystuff/?g=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 5231 "-" "libwww-perl/5.810" > 66.249.137.70 - - [21/Aug/2010:04:56:56 -0500] "GET /?g=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 14169 "-" "libwww-perl/5.810" > > I didn't see anything on my server this morning, as I checked around it. > Is this something to be concerned about? I'm fully patched (yum updated > through this past week). Anybody else see this? On my Fedora 12 server, searching for 'proc/self/environ' I found the following in my apache log files: www.php-debuggers.net 66.179.32.5 - - [21/Aug/2010:18:56:10 +0100] "GET /file.php?file []=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 404 352 They didn't get much though, except a 404 error message. Kind Regards, Keith Roberts ----------------------------------------------------------------- Websites: http://www.php-debuggers.net http://www.karsites.net http://www.raised-from-the-dead.org.uk All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------