Successful attack?

Discussion in 'General' started by Tripple, Sep 20, 2010.

  1. Tripple

    Tripple New Member

    On a ISPConfig 2.2.35 server, logwatch mailed the following:

    A total of 8 possible successful probes were detected (the following URLs
    contain strings that match one or more of a listing of strings that
    indicate a possible exploit):

    /index.php?category=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP Response 200
    /index.php?c=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 200
    /index.php?cat=contact/index.php?category=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 200
    /index.php?c=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP Response 200
    /index.php?cat=contact/index.php?c=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 200
    /index.php?cat=contact/index.php?c=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP Response 200
    /index.php?category=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP Response 200
    /index.php?cat=contact/index.php?category=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ HTTP Response 200

    Is this something I have to worry about?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    This are just probes, it does not show if they were sucessful or not. try to open the following url in a browser:

    you have to replace the domain name of the web were you found this in front. which output do you get?
  3. Tripple

    Tripple New Member

    I can see the homepage.
    After a brief talk to the webdesigner his categories are protected agains an attack like that.
  4. SamTzu

    SamTzu Active Member

    %00 is known as a "poison null byte" attack. Looks like it got trough since "Response 200" is not what we want to see. System commands can be included after that line.

    Check if you can see your page with this command after the domain part...
    Easy way to prevent this is to include this line in the .htaccess file.
    I have been meaning to address this problem. Should 'Perfect Server' also have mod_security installed and enabled? Or can we include that RewriteCond on server level in the Apache config?

    You can install mod_security in Debian with these commands...

Share This Page