Gruver, Sandi wrote: >>From the mailman server's Logwatch program: > >A total of 1 sites probed the server > 62.1.205.86 > >!!!! 2 possible successful probes > /mailman/private/sqlhelp///includes/session.php?baseDir=../../../../../../../../etc/passwd > HTTP Response 200 > /mailman/admin///includes/session.php?baseDir=../../../../../../../../etc/passwd > HTTP Response 200 > >Is this likely a probe only or a notification of a compromise?
I saw the same thing in my Logwatch the other day. These messages are reported in the httpd report. This is suspicious from the httpd point of view because of the 200 response to the multi "../" URL, but if you look in Mailman's error log, you'll see entries like 'No such list "includes":' and 'No such list "sqlhelp":' corresponding to these because the Mailman CGI's protect against these attacks. All the attacker got was a "non-existent list" page from Mailman. -- Mark Sapiro <m...@msapiro.net> The highway is for gamblers, San Francisco Bay Area, California better use your sense - B. Dylan ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org Security Policy: http://wiki.list.org/x/QIA9
