Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 10-24-2011, 10:44 AM   #1
Registered: Nov 2007
Distribution: CentOS 6
Posts: 195

Rep: Reputation: 22
Apache exploit? Logwatch: A total of 2 possible successful probes were detected

I was browsing my logs when I came across this:

A total of 2 possible successful probes were detected (the following URLs
 contain strings that match one or more of a listing of strings that
 indicate a possible exploit):
    /?mode=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP Response 200 
    /~someuser/SMARTS/?mode=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP Response 200
Not sure what to make of it. I entered it onto my browser and just got the index.html page. Google says it's some sort of joomla explot. I don't run joomla. Not sure if I should be worried about this. Can anyone shed some light on this?
Old 10-24-2011, 04:16 PM   #2
Senior Member
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780Reputation: 780
A little more context regarding the logs would be helpful. The code posted looks like it is trying to access your directory index (root) folder for your site (not to be confused with the file system root, which is normal, but is passing in some parameters to try and gain access outside of the directory tree. Specifically in the first URL, /?mode= is the root folder with the GET parameter for mode and setting it to a path to try and get outside of the document root. If your page does not use a mode variable, chances are it will just be ignored and you will get the index.html with a Response code of 200 from Apache. The second line is trying to do something similar but using the document path of /~someuser/SMARTS/ with the mode GET variable.

I agree this sounds like an exploit targeted at some form of content management system.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
LogWatch: "possible successful probes"? Quip11 Linux - Security 1 07-20-2009 05:39 PM
Possible Apache exploit / 404 NOT FOUND rioguia Linux - Security 5 01-03-2006 04:07 PM
What's this in LogWatch: "!!!! 1 possible successful probes" ? bomix Linux - Security 1 07-29-2005 11:23 PM
RH / Apache 2.0 buffer exploit rleesBSD Linux - Security 5 07-07-2005 04:36 AM
logwatch: A total of 3 unidentified 'other' records logged rioguia Linux - Security 2 11-12-2004 10:12 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:04 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration