[PLUG] possible successful probes were detected ?
Jason LaPier
jason.lapier at gmail.com
Mon Dec 12 17:30:21 UTC 2011
On Mon, Dec 12, 2011 at 9:08 AM, Michael Rasmussen <michael at jamhome.us>wrote:
> On Mon, Dec 12, 2011 at 08:57:19AM -0800, Scott Garman wrote:
> > On 12/12/2011 08:47 AM, Galen Seitz wrote:
> > > A total of 3 possible successful probes were detected (the following
> URLs
> > > contain strings that match one or more of a listing of strings that
> > > indicate a possible exploit):
> > >
> > > /?file=../../../../../../proc/self/environ%00 HTTP Response 200
> > > /?mod=../../../../../../proc/self/environ%00 HTTP Response 200
> > > /?page=../../../../../../proc/self/environ%00 HTTP Response 200
> >
> > It should be reasonably straightforward to try going to those urls
> > yourself and see if it works.
>
> It's even more straightforward to believe the logging is not broken and
> believe the 200 response code.
>
>
/?something is almost always going to return 200 on any website, because
you're just tacking on parameters to the index file. In most cases, this
will cause the index to load (200) and ignore the extraneous parameters
(even if you just have a static index.html).
- Jason L.
More information about the PLUG
mailing list