Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I don't know if this thing were posted here earlier, but I am panicked.
My Logwatch shows these writings in it:
Code:
A total of 1 sites probed the server
168.144.196.83
A total of 1 possible successful probes were detected (the following URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):
/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n HTTP Response 200
It is showing that /etc/passwd, The http logs shows:
Apart from that it's trying to append twice and it shows a 200 return code it shouldn't work anyway if the user the web server runs as has no write privileges on the file, and for the "/?-d" part see post http://www.linuxquestions.org/questi...4/#post4692267?
IMHO it's not a question of being afraid or not but thinking ahead and defending yourself:
- have your firewall drop accept bogon traffic and rate limits new requests,
- make your web server not expose any unused functionality (proxying, auth methods, etc) and configure only what is strictly necessary,
- make your web server more resilient by running mod_security with the default OWASP rule set,
- ensure that what off the shelf software you run is always current, including any 3rd party plugins, and remove what can't be updated,
- ensure you follow the security documentation off the shelf software provides,
- ensure that what homebrewn scripts you run follow best coding practices and have them examined if necessary,
- optionally monitor areas on your system the web server user can write to using Inotify and Maldetect.
*Examine your system for hardening other access vectors like running anonymous FTP, passworded FTP uploads from non-Linux machines, SSH without pubkey auth (as root?), etc, etc.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.