#1  
Old 20th September 2010, 20:34
Tripple Tripple is offline
Senior Member
 
Join Date: Jul 2007
Posts: 114
Thanks: 7
Thanked 3 Times in 3 Posts
Default Successful attack?

On a ISPConfig 2.2.35 server, logwatch mailed the following:

A total of 8 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):

/index.php?category=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP Response 200
/index.php?c=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 200
/index.php?cat=contact/index.php?category=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 200
/index.php?c=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP Response 200
/index.php?cat=contact/index.php?c=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 200
/index.php?cat=contact/index.php?c=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP Response 200
/index.php?category=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 200
/index.php?cat=contact/index.php?category=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP Response 200

Is this something I have to worry about?
Reply With Quote
Sponsored Links
  #2  
Old 20th September 2010, 21:37
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,416
Thanks: 812
Thanked 5,205 Times in 4,081 Posts
Default

This are just probes, it does not show if they were sucessful or not. try to open the following url in a browser:

Code:
www.domain.com/index.php?category=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ
you have to replace the domain name of the web were you found this in front. which output do you get?
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 20th September 2010, 21:42
Tripple Tripple is offline
Senior Member
 
Join Date: Jul 2007
Posts: 114
Thanks: 7
Thanked 3 Times in 3 Posts
Default

I can see the homepage.
After a brief talk to the webdesigner his categories are protected agains an attack like that.
Reply With Quote
  #4  
Old 19th October 2011, 08:56
SamTzu SamTzu is offline
HowtoForge Supporter
 
Join Date: Apr 2007
Location: Helsinki
Posts: 426
Thanks: 33
Thanked 54 Times in 37 Posts
Send a message via Skype™ to SamTzu
 
Default

%00 is known as a "poison null byte" attack. Looks like it got trough since "Response 200" is not what we want to see. System commands can be included after that line.

Check if you can see your page with this command after the domain part...
Quote:
/?content=../../../../../../../../../../../../../../../proc/self/environ%00
Easy way to prevent this is to include this line in the .htaccess file.
Quote:
RewriteCond %{QUERY_STRING} proc\/self\/environ [OR]
I have been meaning to address this problem. Should 'Perfect Server' also have mod_security installed and enabled? Or can we include that RewriteCond on server level in the Apache config?

You can install mod_security in Debian with these commands...
Quote:
apt-get install libapache-mod-security
a2enmod mod-security
/etc/init.d/apache2 force-reload
__________________

Sami Mattila
Internet-Content

Telephone:
00358942833310
Email: firstname.lastname@internet-content.org
Shop: http://shop.internet-content.net
Site: http://www.internet-content.net
Blog: http://www.internet-content.net/en/blog
FB: https://www.facebook.com/internetcontent

Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Ossec - log ssh brute force attack NOT WORK! adrenalinic Server Operation 3 26th November 2008 14:06
Help! Why do I see message about Apache, CPanel & WHM. I don't run cpanel! websissy Installation/Configuration 3 18th November 2008 22:16
Am I experiencing a DOS attack? badgerbox76 Server Operation 5 11th October 2008 00:07
Spam attack on one specific domain steowimmy Installation/Configuration 2 14th November 2006 21:12
System attack message from logcheck Hagforce Server Operation 6 30th August 2006 16:07


All times are GMT +2. The time now is 16:26.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.