From my web server log today?
Hal Burgiss
hal at burgiss.net
Sat Apr 3 17:03:43 UTC 2010
On Sat, Apr 03, 2010 at 09:37:25AM -0700, Knute Johnson wrote:
> What do you think of this from my web server log today? Has it really
> been successfully attacked? Any information or suggestions would be
> appreciated.
>
> Thanks,
>
>
> Attempts to use known hacks by 1 hosts were logged 4 time(s) from:
> 200.49.148.61: 4 Time(s)
>
>
> A total of 1 sites probed the server
> 200.49.148.61
>
> A total of 1 possible successful probes were detected (the following URLs
> contain strings that match one or more of a listing of strings that
> indicate a possible exploit):
>
> //?path=../../../../../../../../../../../../../../../etc/passwd%00
> HTTP Response 200
Internet background noise. This is essentially some scripted "attack" trying
to set a variable (path) via the url, probably targetted at a known flaw in
some ancient application and now bouncing endlessly around the internet to
remind us how many assholes there are in the world.
Setting variables this way are completely harmless, UNLESS the web application
on the receiving end (you), use a variable named 'path'. AND accept query
string variables like this without any kind of sanitation of user input (which
would be very poor programming practices). Further, that path would have to be
valid on your system. On my Ubuntu system, that's off by 8 or 9 levels or so.
Any sane web application would not allow such directory traversal, and
probably silently ignore it.
The 200 response is generated because the domain + path part are accepted as
valid on your system. The query string (after the '?'), is not a factor in the
200 success return code. It does not mean anything more than the part before
the '?' was valid on your system, and successfully returned to the requestor.
Relax.
--
Hal
More information about the ubuntu-users
mailing list