LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-24-2011, 09:44 AM   #1
deathsfriend99
Member
 
Registered: Nov 2007
Distribution: CentOS 6
Posts: 195

Rep: Reputation: 22
Apache exploit? Logwatch: A total of 2 possible successful probes were detected


I was browsing my logs when I came across this:

Code:
A total of 2 possible successful probes were detected (the following URLs
 contain strings that match one or more of a listing of strings that
 indicate a possible exploit):
 
    /?mode=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP Response 200 
    /~someuser/SMARTS/?mode=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP Response 200
Not sure what to make of it. I entered it onto my browser and just got the index.html page. Google says it's some sort of joomla explot. I don't run joomla. Not sure if I should be worried about this. Can anyone shed some light on this?
 
Old 10-24-2011, 03:16 PM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779
A little more context regarding the logs would be helpful. The code posted looks like it is trying to access your directory index (root) folder for your site (not to be confused with the file system root, which is normal, but is passing in some parameters to try and gain access outside of the directory tree. Specifically in the first URL, /?mode= is the root folder with the GET parameter for mode and setting it to a path to try and get outside of the document root. If your page does not use a mode variable, chances are it will just be ignored and you will get the index.html with a Response code of 200 from Apache. The second line is trying to do something similar but using the document path of /~someuser/SMARTS/ with the mode GET variable.

I agree this sounds like an exploit targeted at some form of content management system.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LogWatch: "possible successful probes"? Quip11 Linux - Security 1 07-20-2009 04:39 PM
Possible Apache exploit / 404 NOT FOUND rioguia Linux - Security 5 01-03-2006 03:07 PM
What's this in LogWatch: "!!!! 1 possible successful probes" ? bomix Linux - Security 1 07-29-2005 10:23 PM
RH / Apache 2.0 buffer exploit rleesBSD Linux - Security 5 07-07-2005 03:36 AM
logwatch: A total of 3 unidentified 'other' records logged rioguia Linux - Security 2 11-12-2004 09:12 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration