I have spent 8+hours scouring the web, reviewing the Apache Httpd Cookbook,
the Definitive Reference, and the 2.2 documentation for mod_headers,
mod_proxy and core.
CONFIGURATION:
Apache Version:
Server version: Apache/2.2.15 (Unix)
Server built: Jul 18 2016 15:24:00
SSL offloading happens
On Mon, Feb 6, 2017 at 8:40 PM, wrote:
> broken apache httpd version 2.2.32:
>
> openssl s_client -connect : -pause
>
> when paused input this.
>
> GET /login/healthcheck/content_check.wecv HTTP/1.0
>
> Host:
s_client doesn't send CRLF unless you pass
broken apache httpd version 2.2.32:
openssl s_client -connect : -pause
when paused input this.
GET /login/healthcheck/content_check.wecv HTTP/1.0
Host:
You get bad request back from apache httpd
HTTP/1.1 400 Bad Request
Working apache httpd version 2.2.31:
openssl s_client -connect : -pause
On 2/6/2017 8:36 AM, Jack Swan wrote:
> What upsets me is that these two requests have statuscode 200, which mean it
> was successfull.
As Jonesy points out, it's normal for the web server to simply ignore a
request's query-string in a request where it wouldn't mean anything. So Apache
is
On Mon, 6 Feb 2017 20:17:00 +0100 (CET), Lentes, Bernd wrote:
> Why has the request status code 200 ?
Because the request was for the root document: "/"
The rest of the crap was a malicious query string that -- if
your root doc was .php, AND if your php version was vulnerable --
_might_ have
Oh really? Enable mod_dumpio and show us the GET from your F5 "pings".
2017-02-06 21:34 GMT+01:00 :
> This issue is different from the CR LF issue. We checked for any
> delimiters/spaces etc. The F5 health checks work fine with 2.2.31 on the
> same server,
This issue is different from the CR LF issue. We checked for any
delimiters/spaces etc. The F5 health checks work fine with 2.2.31 on the same
server, without any change in the configuration, but when we upgrade to 2.2.32,
apache reports a 400 error.
Bharath Kolla
-Original Message-
If you have python installed...
The following python script shows some simple commands for decoding (for
future reference).
test ="""
- On Feb 6, 2017, at 8:22 PM, Bernd Lentes
bernd.len...@helmholtz-muenchen.de wrote:
>> OK. I think i understand most of it.
>> First the attacker sets some values appropriate for him. Then he tries to
>> create
>> a file webconfig.txt.php and to write
>> in it.
>> Fortunately wwwrun
> OK. I think i understand most of it.
> First the attacker sets some values appropriate for him. Then he tries to
> create
> a file webconfig.txt.php and to write
> in it.
> Fortunately wwwrun can't write in /sr/www ... , following
> http://httpd.apache.org/docs/2.2/misc/security_tips.html
- On Feb 6, 2017, at 6:32 PM, Bernd Lentes
bernd.len...@helmholtz-muenchen.de wrote:
> - On Feb 6, 2017, at 5:54 PM, Jack Swan john.s...@oracle.com wrote:
>
>> The first line is trying to create the file webconfig.txt.php in your
>> DOCUMENT_ROOT directory, with the contents of the
On Mon, Feb 6, 2017 at 12:30 PM, Mitchell Krog wrote:
> I see these type of attack strings all the time on Nginx except Nginx gives
> a 403. Apache is notoriously bad with security and giving 200 ok responses
> makes you yourself. A reason I and many other people
- On Feb 6, 2017, at 5:54 PM, Jack Swan john.s...@oracle.com wrote:
> The first line is trying to create the file webconfig.txt.php in your
> DOCUMENT_ROOT directory, with the contents of the file being:
>
>
>
> I didn't decode the remaining lines. I think they're just trying to do the
>
I see these type of attack strings all the time on Nginx except Nginx gives
a 403. Apache is notoriously bad with security and giving 200 ok responses
makes you yourself. A reason I and many other people have switched.
User support on this list was also non existent when I ran into serious
On 2017-02-06 12:08 pm, Lentes, Bernd wrote:
The first line is trying to create the file webconfig.txt.php in your
DOCUMENT_ROOT directory, with the contents of the file being:
I didn't decode the remaining lines. I think they're just trying to do
the same
thing.
Fortunately there is
> The first line is trying to create the file webconfig.txt.php in your
> DOCUMENT_ROOT directory, with the contents of the file being:
>
>
>
> I didn't decode the remaining lines. I think they're just trying to do the
> same
> thing.
>
Fortunately there is no webconfig.txt.php. And all
- On Feb 6, 2017, at 5:45 PM, Daniel dferra...@gmail.com wrote:
> Actually now that I re-read the requests it also looks as shellshock succesful
> attempt.
> Operative system software not updated recently either?
> 2017-02-06 17:42 GMT+01:00 Daniel < dferra...@gmail.com > :
>> Have you
The first line is trying to create the file webconfig.txt.php in your
DOCUMENT_ROOT directory, with the contents of the file being:
I didn't decode the remaining lines. I think they're just trying to do the same
thing.
- Original Message -
From: bernd.len...@helmholtz-muenchen.de
Actually now that I re-read the requests it also looks as shellshock
succesful attempt.
Operative system software not updated recently either?
2017-02-06 17:42 GMT+01:00 Daniel :
> Have you tried to send those requests yourself and see what you get?
>
> Still those requests
Have you tried to send those requests yourself and see what you get?
Still those requests seem to be aimed at your php framework.
Do you use a very old php version as well?
2017-02-06 17:41 GMT+01:00 Lentes, Bernd :
>
> - On Feb 6, 2017, at 5:14 PM,
- On Feb 6, 2017, at 5:14 PM, Bernd Lentes
bernd.len...@helmholtz-muenchen.de wrote:
> Hi,
>
> just in the moment i found two very weird entries in may access_log:
>
> 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET
>
I didn't decode it all. I'll leave the rest up to you, but the %characters are
hexadecimal characters. Look up hex charset.
So the first line translates to (I may have missed a char or two...)
GET/?1=@ini_set("display_errors",
0);set_time_limit("0");@set_magic_quotes_runtime();echo
Hi,
I am trying a reverse proxy server based on apache httpd v2.4 on the most
recent release of CentOS:
# httpd -version
Server version: Apache/2.4.6 (CentOS)
Server built: Nov 14 2016 18:04:44
# uname -a
Linux hostname.domain.tld 3.10.0-514.6.1.el7.x86_64 #1 SMP Wed Jan 18 13:06:36
UTC
Hi,
just in the moment i found two very weird entries in may access_log:
91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET
Hi,
On Mon, Feb 6, 2017 at 11:34 AM, Rajib Karmakar
wrote:
>
> RewriteRule ^cart(.*)$ cart.php
>
> https://www.berkshirefurniture.com/cart/
[]
>
> https://www.berkshirefurniture.com/carter-upholstered-bed/p/bmV3LWFycml2YWw=
>
> ## For showing leaf sub category of item
Hi,
RewriteRule ^cart(.*)$ cart.php
https://www.berkshirefurniture.com/cart/
https://www.berkshirefurniture.com/carter-upholstered-bed/p/bmV3LWFycml2YWw=
## For showing leaf sub category of item
RewriteCond %{REQUEST_URI} !^/([^/]*)/p
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond
26 matches
Mail list logo