httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Knute Johnson <apa...@knutejohnson.com>
Subject Re: [users@httpd] Hack?
Date Wed, 14 Dec 2011 04:11:50 GMT
On 12/13/2011 7:57 PM, Yehuda Katz wrote:
> On Tue, Dec 13, 2011 at 10:33 PM, Knute Johnson <apache@knutejohnson.com
> <mailto:apache@knutejohnson.com>> wrote:
>
>     On 12/13/2011 7:12 PM, Yehuda Katz wrote:
>
>         On Tue, Dec 13, 2011 at 9:50 PM, Knute Johnson
>         <apache@knutejohnson.com <mailto:apache@knutejohnson.com>
>         <mailto:apache@knutejohnson.__com
>         <mailto:apache@knutejohnson.com>>> wrote:
>
>             This showed up in my log today on a Ubuntu server with
>         Apache 2.2.17.
>                 /?file=../../../../../../proc/____self/environ%00 HTTP
>         Response 200
>                 /?mod=../../../../../../proc/____self/environ%00 HTTP
>         Response 200
>                 /?page=../../../../../../proc/____self/environ%00 HTTP
>         Response 200
>
>     Thanks.  Is there some kind of application that stores data at these
>     locations normally?
>
> Linux. Or more specifically, it looks like it might be trying to attack
> a known vulnerability in the Linux Kernel.
> See http://lwn.net/Articles/191954/ for more on that.
>
> Explanation:
> Let's say your web application loads files based on the (file/mod/page)
> query string value from the folder /srv/www/htdocs/pages/ with the
> extension .myfile
> The attacker's request for
>
>     ../../../../../../proc/__self/environ%00
>
> will be view by your application as
>
>     /srv/www/htdocs/pages/../../../../../../proc/__self/environ%00.myfile
>
> which the application will likely interpret as just
>
>     /proc/__self/environ
>
>
>     Lately I've been getting a bunch of requests for null files,
>     hundreds of them.
>
> You might want to look into using a program like Fail2Ban
> (www.fail2ban.org <http://www.fail2ban.org>) or some other log parser to
> block them from hitting your server.
> The documentation for fail2ban is not incredible, but their support
> mailing list is usually responsive.
>
> - Y

Thanks very much.

-- 

knute...

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message