You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "Jason T. Slack-Moehrle" <sl...@gmail.com> on 2012/09/06 00:45:08 UTC

[users@httpd] URL Requests being use to probe my server

CentOS 6, Apache/2.2.15 (Unix)

I am receiving messages in my Logwatch that state:

 A total of 1 sites probed the server
    210.86.231.xx

 A total of 1 possible successful probes were detected (the following URLs
 contain strings that match one or more of a listing of strings that
 indicate a possible exploit):

    /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n
HTTP Response 200


I tried to copy and paste this URL after the IP of the server and
nothing seemed to happen, my site came up as normal.

Can anyone explain what they are trying to accomplish? Obviously see
if they can manipulate my /etc/passwd file?

Best,
-Jason

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] URL Requests being use to probe my server

Posted by Eric Covener <co...@gmail.com>.

On Wed, Sep 5, 2012 at 6:45 PM, Jason T. Slack-Moehrle
<sl...@gmail.com> wrote:
> CentOS 6, Apache/2.2.15 (Unix)
>
> I am receiving messages in my Logwatch that state:
>
>  A total of 1 sites probed the server
>     210.86.231.xx
>
>  A total of 1 possible successful probes were detected (the following URLs
>  contain strings that match one or more of a listing of strings that
>  indicate a possible exploit):
>
>     /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n
> HTTP Response 200
>
>
> I tried to copy and paste this URL after the IP of the server and
> nothing seemed to happen, my site came up as normal.
>
> Can anyone explain what they are trying to accomplish? Obviously see
> if they can manipulate my /etc/passwd file?
>

maybe http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2336

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org