[Mailman-Users] message about probes
Mark Sapiro
mark at msapiro.net
Wed Apr 29 15:54:35 CEST 2009
Gruver, Sandi wrote:
>>From the mailman server's Logwatch program:
>
>A total of 1 sites probed the server
> 62.1.205.86
>
>!!!! 2 possible successful probes
> /mailman/private/sqlhelp///includes/session.php?baseDir=../../../../../../../../etc/passwd HTTP Response 200
> /mailman/admin///includes/session.php?baseDir=../../../../../../../../etc/passwd HTTP Response 200
>
>Is this likely a probe only or a notification of a compromise?
I saw the same thing in my Logwatch the other day. These messages are
reported in the httpd report. This is suspicious from the httpd point
of view because of the 200 response to the multi "../" URL, but if you
look in Mailman's error log, you'll see entries like 'No such list
"includes":' and 'No such list "sqlhelp":' corresponding to these
because the Mailman CGI's protect against these attacks.
All the attacker got was a "non-existent list" page from Mailman.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the Mailman-Users
mailing list