On Friday, February 26, 2016 at 4:57:47 AM UTC-5, Robin Manoli wrote: > > > *About the exploit*There is an exploit is was happening. I thought they > were related to a web2py app on Apache, but I'm sure any more. What is > happening is that another web server keeps getting this type of requests > from a server I'm working on. This keeps happening although the ports 80 > and 443 (and almost all other ports) for outbound traffic of the servers > are closed. ModProxy is disabled. > > server.ip - - [ -0500] "GET > /index.php?page=../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 > 7792 "-" "Mozilla/4.76 [en] (Win98; U)" >
So, is the above log entry from the *other* server (i.e., not the one you control)? I presume the "server.ip" value is the IP address of your server, hence the belief that this request is coming from your server, correct? If so, how did you get this log entry? Did the owner of the server contact you and provide it? Did they request any information from you? Can you trust that this is real (as opposed to a social engineering attempt)? > I did find some suspicious apache logs which made me think it was related > to a web2py app: > 213.152.162.134 - - [23/Feb/2016:22:32:19 +0100] "GET > http://stream-full.selfip.com:8000/get.php?username=anonyme1520091ef3&password=anonyme1520091ef3&type=m3u&output=mpegts&1=anonyme1520091ef > 3 HTTP/1.0" 400 804 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en) > AppleWebKit/522.11.3 (KHTML, like Gecko) Version/3.0 Safari/522.11.3" > 185.25.148.240 - - [24/Feb/2016:14:38:31 +0100] "GET > http://testp3.pospr.waw.pl/testproxy.php HTTP/1.1" 404 267 "-" "Mozilla/5.0 > (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/31.0" > 213.152.162.134 - - [24/Feb/2016:19:44:56 +0100] "GET > http://stream-full.selfip.com:8000/get.php?username=whatisashelly&password=whatisashelly&type=m3u&output=mpegts&1=whatisashelly > > HTTP/1.0" > 500 1091 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; .NET CLR > 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" > > I don't see how any of these requests would be related to web2py/WSGI (as they are not for internal URLs that would be served by web2py), nor how they would be related to the alleged external request to the other server (which is not at any of these URLs). Looks like someone was just trying (and failing) to proxy requests through your server. I did not wish to say that web2py has any specific issues, but rather to > learn about potential and perhaps common mistakes people do when creating > web2py or wsgi apps. > With regard to "proxy abuse" specifically, WSGI and web2py play no role -- this is simply an issue of the web server (and it seems not to be a problem in your case). > > *About why I use apache*You are right of course Niphlod. The full story > is just that I had a working setup with Apache without any issues, so I was > focusing on app development and not choosing web servers. It worked very > well so far in the context, and it's not really important to discuss this > any further. I have my reasons for why things are like they are, and of > course I can move to nginx. > If you can, it might not be a bad idea to switch to Nginx, but at the moment, it's not clear that Apache is really causing any problems here. Anthony -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
