Re: [users@httpd] Hack?

Tue, 13 Dec 2011 20:12:29 -0800 

On 12/13/2011 7:57 PM, Yehuda Katz wrote:

On Tue, Dec 13, 2011 at 10:33 PM, Knute Johnson <apa...@knutejohnson.com
<mailto:apa...@knutejohnson.com>> wrote:

    On 12/13/2011 7:12 PM, Yehuda Katz wrote:

        On Tue, Dec 13, 2011 at 9:50 PM, Knute Johnson
        <apa...@knutejohnson.com <mailto:apa...@knutejohnson.com>
        <mailto:apache@knutejohnson.__com
        <mailto:apa...@knutejohnson.com>>> wrote:

            This showed up in my log today on a Ubuntu server with
        Apache 2.2.17.
                /?file=../../../../../../proc/____self/environ%00 HTTP
        Response 200
                /?mod=../../../../../../proc/____self/environ%00 HTTP
        Response 200
                /?page=../../../../../../proc/____self/environ%00 HTTP
        Response 200

    Thanks.  Is there some kind of application that stores data at these
    locations normally?

Linux. Or more specifically, it looks like it might be trying to attack
a known vulnerability in the Linux Kernel.
See http://lwn.net/Articles/191954/ for more on that.

Explanation:
Let's say your web application loads files based on the (file/mod/page)
query string value from the folder /srv/www/htdocs/pages/ with the
extension .myfile
The attacker's request for

    ../../../../../../proc/__self/environ%00

will be view by your application as

    /srv/www/htdocs/pages/../../../../../../proc/__self/environ%00.myfile

which the application will likely interpret as just

    /proc/__self/environ


    Lately I've been getting a bunch of requests for null files,
    hundreds of them.

You might want to look into using a program like Fail2Ban
(www.fail2ban.org <http://www.fail2ban.org>) or some other log parser to
block them from hitting your server.
The documentation for fail2ban is not incredible, but their support
mailing list is usually responsive.

- Y


Thanks very much.

--

knute...

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to