Requests from localhost (127.0.0.1) logged on access.log
Hello buddies,
I come here because I've been all the morning working around this with no solution at all.
It all has begun when one guy told me they found that we were trying to hack them. Their apache log told that the source IP where the attacks were coming from was one that belongs to one of our servers.
I started to check my logs and found that yesterday afternoon I had some logs on apache issued as:
127.0.0.1 - - [07/Sep/2014:18:39:07 +0200] "GET /mulberry-bag-collections.html?price=/proc/self/environ&style=56 HTTP/1.1" 404 497 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14"
First, this folder doesn't exist. It's of course someone trying to exploit through php and get some data from the server, but what is concerning me the most is that it's being done in localhost! That means that somehow the server itself is executing the command (maybe through a script).
I checked all other logs (auth/syslog) and ensured there was no connection from other than my own IP address...
I also checked /tmp/ and all other places for any strange file
I also checked all crontabs
But in the end, nothing...
Is there anything else I could do?
Thanks!
Eudald
|