The past few weeks I've been seeing more and more of these probes each day. I'd like to figure out what vulnerability they're looking for but haven't been able to turn anything up with a web search.
Here's a sample of what I get in my morning Logwatch emails:
A total of XX possible successful
probes were detected (the following
URLs contain strings that match one
or more of a listing of strings that
indicate a possible exploit):/MyBlog/?option=com_myblog&Itemid=12&task=../../../../../../../../../../../../../../../proc/self/environ%00
HTTP Response 200
/index2.php?option=com_myblog&item=12&task=../../../../../../../../../../../../../../../../proc/self/environ%00
HTTP Response 200
/?option=com_myblog&Itemid=12&task=../../../../../../../../../../../../../../../proc/self/environ%00
HTTP Response 301
/index2.php?option=com_myblog&item=12&task=../../../../../../../../../../../../../../../proc/self/environ%00
HTTP Response 200
//index2.php?option=com_myblog&Itemid=1&task=../../../../../../../../../../../../../../../proc/self/environ%00
HTTP Response 200
This is coming from a current CentOS 5.4 / Apache 2 box with all updates.
I've manually tried entering a few in to see what they get, but those all appear to just return the site's home page. This server is just hosting a few Joomla! sites… but this doesn't seem to be targeting Joomla (as far as I can tell).
Anyone know what they're probing for? I just want to make sure whatever it is I've got it covered (or not installed). The escalation of these entries has me a bit concerned.
Best Answer
They are trying to read the environment strings for the environment. This can be obtained from /proc/self/envion, and they are walking back the directory tree to read it. It looks like Joomla is falling back to the main page when it can't process the request.