On Tue, Dec 13, 2011 at 10:33 PM, Knute Johnson <apa...@knutejohnson.com>wrote:
> On 12/13/2011 7:12 PM, Yehuda Katz wrote: > >> On Tue, Dec 13, 2011 at 9:50 PM, Knute Johnson <apa...@knutejohnson.com >> <mailto:apache@knutejohnson.**com <apa...@knutejohnson.com>>> wrote: >> >> This showed up in my log today on a Ubuntu server with Apache 2.2.17. >> /?file=../../../../../../proc/**__self/environ%00 HTTP Response >> 200 >> /?mod=../../../../../../proc/_**_self/environ%00 HTTP Response 200 >> /?page=../../../../../../proc/**__self/environ%00 HTTP Response >> 200 >> >> Thanks. Is there some kind of application that stores data at these > locations normally? Linux. Or more specifically, it looks like it might be trying to attack a known vulnerability in the Linux Kernel. See http://lwn.net/Articles/191954/ for more on that. Explanation: Let's say your web application loads files based on the (file/mod/page) query string value from the folder /srv/www/htdocs/pages/ with the extension .myfile The attacker's request for > ../../../../../../proc/__self/environ%00 will be view by your application as > /srv/www/htdocs/pages/../../../../../../proc/__self/environ%00.myfile which the application will likely interpret as just > /proc/__self/environ Lately I've been getting a bunch of requests for null files, hundreds of > them. You might want to look into using a program like Fail2Ban (www.fail2ban.org) or some other log parser to block them from hitting your server. The documentation for fail2ban is not incredible, but their support mailing list is usually responsive. - Y
