CentOS - Aug 2010 - Strange Apache log entry

Hey everyone,

Logwatch flagged something in my Apache logs, and it says it was a 
possible successful probe. Hmmm. Here's what it says:

  --------------------- httpd Begin ------------------------

  A total of 1 sites probed the server
     66.249.137.70

  A total of 2 possible successful probes were detected (the following URLs
  contain strings that match one or more of a listing of strings that
  indicate a possible exploit):

66.249.137.70 - - [21/Aug/2010:04:56:56 -0500] "GET
/mystuff/?g=../../../../../../../../../../../../../../../proc/self/environ%00
HTTP/1.1" 200 5231 "-" "libwww-perl/5.810"
66.249.137.70 - - [21/Aug/2010:04:56:56 -0500] "GET
/?g=../../../../../../../../../../../../../../../proc/self/environ%00
HTTP/1.1" 200 14169 "-" "libwww-perl/5.810"

I didn't see anything on my server this morning, as I checked around it. 
Is this something to be concerned about? I'm fully patched (yum updated 
through this past week). Anybody else see this?

*******************************************************************************
Gilbert Sebenste                                                     ********
(My opinions only!)                                                  ******
*******************************************************************************

2010/8/22 Gilbert Sebenste <sebenste at
weather.admin.niu.edu>:
> Hey everyone,
>
> Logwatch flagged something in my Apache logs, and it says it was a
> possible successful probe. Hmmm. Here's what it says:
>
> ?--------------------- httpd Begin ------------------------
>
> ?A total of 1 sites probed the server
> ? ? 66.249.137.70
>
> ?A total of 2 possible successful probes were detected (the following URLs
> ?contain strings that match one or more of a listing of strings that
> ?indicate a possible exploit):
>
> 66.249.137.70 - - [21/Aug/2010:04:56:56 -0500] "GET
/mystuff/?g=../../../../../../../../../../../../../../../proc/self/environ%00
HTTP/1.1" 200 5231 "-" "libwww-perl/5.810"
> 66.249.137.70 - - [21/Aug/2010:04:56:56 -0500] "GET
/?g=../../../../../../../../../../../../../../../proc/self/environ%00
HTTP/1.1" 200 14169 "-" "libwww-perl/5.810"
>
> I didn't see anything on my server this morning, as I checked around
it.
> Is this something to be concerned about? I'm fully patched (yum updated
> through this past week). Anybody else see this?
I think this is a bit antique attack:

http://foro.undersecurity.net/read.php?15,3768

--
Eero

On Sun, 22 Aug 2010, Gilbert Sebenste wrote:
> To: centos at centos.org
> From: Gilbert Sebenste <sebenste at weather.admin.niu.edu>
> Subject: [CentOS] Strange Apache log entry
> 
> Hey everyone,
>
> Logwatch flagged something in my Apache logs, and it says it was a
> possible successful probe. Hmmm. Here's what it says:
>
>  --------------------- httpd Begin ------------------------
>
>  A total of 1 sites probed the server
>     66.249.137.70
>
>  A total of 2 possible successful probes were detected (the following URLs
>  contain strings that match one or more of a listing of strings that
>  indicate a possible exploit):
>
> 66.249.137.70 - - [21/Aug/2010:04:56:56 -0500] "GET
/mystuff/?g=../../../../../../../../../../../../../../../proc/self/environ%00
HTTP/1.1" 200 5231 "-" "libwww-perl/5.810"
> 66.249.137.70 - - [21/Aug/2010:04:56:56 -0500] "GET
/?g=../../../../../../../../../../../../../../../proc/self/environ%00
HTTP/1.1" 200 14169 "-" "libwww-perl/5.810"
>
> I didn't see anything on my server this morning, as I checked around
it.
> Is this something to be concerned about? I'm fully patched (yum updated
> through this past week). Anybody else see this?
On my Fedora 12 server, searching for 'proc/self/environ' I 
found the following in my apache log files:

www.php-debuggers.net 66.179.32.5 - - [21/Aug/2010:18:56:10 
+0100] "GET /file.php?file
[]=../../../../../../../../../../../../../../../proc/self/environ%00 
HTTP/1.1" 404 352

They didn't get much though, except a 404 error message.

Kind Regards,

Keith Roberts

-----------------------------------------------------------------
Websites:
http://www.php-debuggers.net
http://www.karsites.net
http://www.raised-from-the-dead.org.uk

All email addresses are challenge-response protected with
TMDA [http://tmda.net]
-----------------------------------------------------------------