[users@httpd] Apache 2.2 mod_headers question

I have spent 8+hours scouring the web, reviewing the Apache Httpd Cookbook, the Definitive Reference, and the 2.2 documentation for mod_headers, mod_proxy and core. CONFIGURATION: Apache Version: Server version: Apache/2.2.15 (Unix) Server built: Jul 18 2016 15:24:00 SSL offloading happens

Re: [users@httpd] Apache 2.2.32 failing F5 health check

On Mon, Feb 6, 2017 at 8:40 PM, wrote: > broken apache httpd version 2.2.32: > > openssl s_client -connect : -pause > > when paused input this. > > GET /login/healthcheck/content_check.wecv HTTP/1.0 > > Host: s_client doesn't send CRLF unless you pass

RE: [users@httpd] Apache 2.2.32 failing F5 health check

broken apache httpd version 2.2.32: openssl s_client -connect : -pause when paused input this. GET /login/healthcheck/content_check.wecv HTTP/1.0 Host: You get bad request back from apache httpd HTTP/1.1 400 Bad Request Working apache httpd version 2.2.31: openssl s_client -connect : -pause

Re: [users@httpd] am i hacked ?

On 2/6/2017 8:36 AM, Jack Swan wrote: > What upsets me is that these two requests have statuscode 200, which mean it > was successfull. As Jonesy points out, it's normal for the web server to simply ignore a request's query-string in a request where it wouldn't mean anything. So Apache is

[users@httpd] Re: am i hacked ?

On Mon, 6 Feb 2017 20:17:00 +0100 (CET), Lentes, Bernd wrote: > Why has the request status code 200 ? Because the request was for the root document: "/" The rest of the crap was a malicious query string that -- if your root doc was .php, AND if your php version was vulnerable -- _might_ have

Re: [users@httpd] Apache 2.2.32 failing F5 health check

Oh really? Enable mod_dumpio and show us the GET from your F5 "pings". 2017-02-06 21:34 GMT+01:00 : > This issue is different from the CR LF issue. We checked for any > delimiters/spaces etc. The F5 health checks work fine with 2.2.31 on the > same server,

RE: [users@httpd] Apache 2.2.32 failing F5 health check

This issue is different from the CR LF issue. We checked for any delimiters/spaces etc. The F5 health checks work fine with 2.2.31 on the same server, without any change in the configuration, but when we upgrade to 2.2.32, apache reports a 400 error. Bharath Kolla -Original Message-

Re: [users@httpd] am i hacked ?

If you have python installed... The following python script shows some simple commands for decoding (for future reference). test ="""

Re: [users@httpd] am i hacked ?

- On Feb 6, 2017, at 8:22 PM, Bernd Lentes bernd.len...@helmholtz-muenchen.de wrote: >> OK. I think i understand most of it. >> First the attacker sets some values appropriate for him. Then he tries to >> create >> a file webconfig.txt.php and to write >> in it. >> Fortunately wwwrun

Re: [users@httpd] am i hacked ?

> OK. I think i understand most of it. > First the attacker sets some values appropriate for him. Then he tries to > create > a file webconfig.txt.php and to write > in it. > Fortunately wwwrun can't write in /sr/www ... , following > http://httpd.apache.org/docs/2.2/misc/security_tips.html

Re: [users@httpd] am i hacked ?

- On Feb 6, 2017, at 6:32 PM, Bernd Lentes bernd.len...@helmholtz-muenchen.de wrote: > - On Feb 6, 2017, at 5:54 PM, Jack Swan john.s...@oracle.com wrote: > >> The first line is trying to create the file webconfig.txt.php in your >> DOCUMENT_ROOT directory, with the contents of the

Re: [users@httpd] am i hacked ?

On Mon, Feb 6, 2017 at 12:30 PM, Mitchell Krog wrote: > I see these type of attack strings all the time on Nginx except Nginx gives > a 403. Apache is notoriously bad with security and giving 200 ok responses > makes you yourself. A reason I and many other people

Re: [users@httpd] am i hacked ?

- On Feb 6, 2017, at 5:54 PM, Jack Swan john.s...@oracle.com wrote: > The first line is trying to create the file webconfig.txt.php in your > DOCUMENT_ROOT directory, with the contents of the file being: > > > > I didn't decode the remaining lines. I think they're just trying to do the >

Re: [users@httpd] am i hacked ?

I see these type of attack strings all the time on Nginx except Nginx gives a 403. Apache is notoriously bad with security and giving 200 ok responses makes you yourself. A reason I and many other people have switched. User support on this list was also non existent when I ran into serious

Re: [users@httpd] am i hacked ?

On 2017-02-06 12:08 pm, Lentes, Bernd wrote: The first line is trying to create the file webconfig.txt.php in your DOCUMENT_ROOT directory, with the contents of the file being: I didn't decode the remaining lines. I think they're just trying to do the same thing. Fortunately there is

Re: [users@httpd] am i hacked ?

> The first line is trying to create the file webconfig.txt.php in your > DOCUMENT_ROOT directory, with the contents of the file being: > > > > I didn't decode the remaining lines. I think they're just trying to do the > same > thing. > Fortunately there is no webconfig.txt.php. And all

Re: [users@httpd] am i hacked ?

- On Feb 6, 2017, at 5:45 PM, Daniel dferra...@gmail.com wrote: > Actually now that I re-read the requests it also looks as shellshock succesful > attempt. > Operative system software not updated recently either? > 2017-02-06 17:42 GMT+01:00 Daniel < dferra...@gmail.com > : >> Have you

Re: [users@httpd] am i hacked ?

The first line is trying to create the file webconfig.txt.php in your DOCUMENT_ROOT directory, with the contents of the file being: I didn't decode the remaining lines. I think they're just trying to do the same thing. - Original Message - From: bernd.len...@helmholtz-muenchen.de

Re: [users@httpd] am i hacked ?

Actually now that I re-read the requests it also looks as shellshock succesful attempt. Operative system software not updated recently either? 2017-02-06 17:42 GMT+01:00 Daniel : > Have you tried to send those requests yourself and see what you get? > > Still those requests

Re: [users@httpd] am i hacked ?

Have you tried to send those requests yourself and see what you get? Still those requests seem to be aimed at your php framework. Do you use a very old php version as well? 2017-02-06 17:41 GMT+01:00 Lentes, Bernd : > > - On Feb 6, 2017, at 5:14 PM,

Re: [users@httpd] am i hacked ?

- On Feb 6, 2017, at 5:14 PM, Bernd Lentes bernd.len...@helmholtz-muenchen.de wrote: > Hi, > > just in the moment i found two very weird entries in may access_log: > > 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET >

Re: [users@httpd] am i hacked ?

I didn't decode it all. I'll leave the rest up to you, but the %characters are hexadecimal characters. Look up hex charset. So the first line translates to (I may have missed a char or two...) GET/?1=@ini_set("display_errors", 0);set_time_limit("0");@set_magic_quotes_runtime();echo

[users@httpd] mod_substitute only replaces first pattern match

Hi, I am trying a reverse proxy server based on apache httpd v2.4 on the most recent release of CentOS: # httpd -version Server version: Apache/2.4.6 (CentOS) Server built: Nov 14 2016 18:04:44 # uname -a Linux hostname.domain.tld 3.10.0-514.6.1.el7.x86_64 #1 SMP Wed Jan 18 13:06:36 UTC

[users@httpd] am i hacked ?

Hi, just in the moment i found two very weird entries in may access_log: 91.200.12.33 - - [06/Feb/2017:16:43:26 +0100] 236 "GET

Re: [users@httpd] .htaccess rule match keyword

Hi, On Mon, Feb 6, 2017 at 11:34 AM, Rajib Karmakar wrote: > > RewriteRule ^cart(.*)$ cart.php > > https://www.berkshirefurniture.com/cart/ [] > > https://www.berkshirefurniture.com/carter-upholstered-bed/p/bmV3LWFycml2YWw= > > ## For showing leaf sub category of item

[users@httpd] .htaccess rule match keyword

Hi, RewriteRule ^cart(.*)$ cart.php https://www.berkshirefurniture.com/cart/ https://www.berkshirefurniture.com/carter-upholstered-bed/p/bmV3LWFycml2YWw= ## For showing leaf sub category of item RewriteCond %{REQUEST_URI} !^/([^/]*)/p RewriteCond %{REQUEST_FILENAME} !-f RewriteCond