Find the answer to your Linux question:
Results 1 to 3 of 3
Like Tree1Likes
  • 1 Post By Roxoff
Hello everybody! I have a sendmail server(with squirrelmail as web mail) and today Logwatch showed me this message: /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n HTTP Response 302 Should I worry about it?...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 09-20-2012 #1
    pasin
    pasin is offline
    Just Joined!
    Join Date
    Aug 2012
    Posts
    5

    hacking possible

    Hello everybody!

    I have a sendmail server(with squirrelmail as web mail) and today Logwatch showed me this message:

    /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n HTTP Response 302

    Should I worry about it?
    Last edited by pasin; 09-20-2012 at 10:30 AM.
    Reply With Quote Reply With Quote
  2. 09-20-2012 #2
    Roxoff
    Roxoff is offline
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,590
    This is a server probe - someone trying to access files that aren't secure in an attempt to gain information about your system that'll allow them access. There are several course of action you can take - probably the best is to install and configure ModSecurity for your apache server. You can also use Mod Rewrite to catch urls matching various odd formats.

    The other thing you could do is extend logwatch to monitor your httpd error logs and php logs. I find this is particularly helpful.

    You may want to take that URL and try it on your own site to see what page your apache install feeds you when you make the request. That'll give you peace of mind - it's likely to be an error page of some kind.

    I think it'd be really nice to be able to intercept these kinds of hack attempts and use ModRewrite to hand them off to a page that just never responds, the caller will be sat waiting for the page to timeout. That'll slow down anyone trying to use this kind of attack to trawl lots of servers for the ones that aren't properly secure. But Apache won't let you provide no response - it has to reply with something.
    pasin likes this.
    Linux user #126863 - see http://linuxcounter.net/
    Reply With Quote Reply With Quote
  3. 09-24-2012 #3
    Kloschüssel
    Kloschüssel is offline
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    I think it'd be really nice to be able to intercept these kinds of hack attempts and use ModRewrite to hand them off to a page that just never responds, the caller will be sat waiting for the page to timeout. That'll slow down anyone trying to use this kind of attack to trawl lots of servers for the ones that aren't properly secure. But Apache won't let you provide no response - it has to reply with something.
    Generally it is not a good idea to leave connections open for someone that tries to gain access to your server. It opens doors to some very effective DOS attacks. Handling such cases by firewalling the requester for 15min is a much better solution. If you agree, take a look at fail2ban.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules