Skip to main content

Questions tagged [exploit]

A sequence of commands or configuration data which can predictably utilize a vulnerability of a system.

0 votes
0 answers
55 views

Is this an Apache server exploit?

Viewing my access logs for the last few days, I have seen high-speed bursts of access attempts on one web resource per day. For example, yesterday was an image, today is a PHP document. Today's burst ...
Will B's user avatar
  • 101
3 votes
1 answer
435 views

Mmio stale data patched on hypervisor but vulnerable inside kvm guest

My hypervisor tells me that Mmio stale data is patched: Vulnerability Mmio stale data: Mitigation; Clear CPU buffers; SMT disabled But when I check inside my kvm running linux 6.1.0-12-amd64, I ...
user9503's user avatar
  • 141
-1 votes
1 answer
50 views

Does blocking all output connections protect us from exploits on our server?

Let's say a hacker found a way to execute a vulnerability in my container and he can execute any code there (for example he has upload a bash file with HTTP protocoll). Let's make it more dangerous: ...
Simon's user avatar
  • 109
2 votes
1 answer
317 views

What is this possible Apache exploit, and am I affected?

I had this warning in my daily logwatch digest this morning: A total of 1 possible successful probes were detected (the following URLs contain strings that match one or more of a listing of strings ...
Darren's user avatar
  • 345
1 vote
1 answer
1k views

CVE-2021-26855 exploited. Patched and running MSERT. What else can I do?

I'm running the Exchange server exploit checks recommended by Microsoft here: [MS Security Response Center - OnPremise Exchange Server Vulnerabilities Resource Center - updated March 16, 2021]2 ...
cb2791's user avatar
  • 11
0 votes
1 answer
65 views

Is it common to be constantly harassed by hackers?

I have recently become the proud operator of a server that runs wordpress and other software. Today I took a closer look at the log files to see what's going on on my server. Actually, I just wanted ...
eltitano's user avatar
0 votes
0 answers
397 views

What exploits involve making long http requests with lots of mostly null byte octals?

I've gotten a lot of strange http requests in my access logs before, like calls to nonexistent WordPress login scripts and application specific locations. I've even gotten a few wise guy requests like ...
Altimus Prime's user avatar
2 votes
2 answers
3k views

What happens if you have user collisions between a Linux system and an LDAP server?

I have an (Open)LDAP Server running on a Debian system inside my LAN, and multiple systems running Linux Mint, configured as LDAP Clients. Here is the content of my /etc/nsswitch.conf: passwd: ...
Radu Marinescu's user avatar
2 votes
2 answers
2k views

How to protect my server from CVE-2019-10149 - Exim - patched or unpatched - How to reject mail to RCPT ${run

In reference to the recently publicized Exim vulnerability CVE-2019-10149, I am running supposedly patched Exim v. 4.90_1 (built June 4th, 2019) on Ubuntu 18.04.2 LTS. Although it is supposedly ...
jdmayfield's user avatar
0 votes
0 answers
14 views

Running processes: "perl /tmp/dd" - what is this? [duplicate]

I have a LAMP server with about 50 virtual domains, and am using Webmin/Virtualmin to manage the server. When looking at running processes (top) I see one domain's username is running a couple of ...
Ryan Griggs's user avatar
  • 1,093
0 votes
0 answers
490 views

Tomcat fiilter traffic basing on bad mime type

I have spotted recently a large amount of malicious traffic causing throwing an errors on our Grails app. It is hosted via tomcat: ERROR grails.plugin.cache.web.filter.simple....
Michal_Szulc's user avatar
0 votes
1 answer
2k views

Windows 7 SP1 SMB (Port 135/445) enabled by default upon install? [closed]

I'm curious as over several years ever since I started researching about computer security, SMB has been a place where remote code execution happens the most on the windows OS. Especially With the ...
Z3R0_XP's user avatar
0 votes
1 answer
616 views

What is this regular (every 120 seconds) HTTP 1.1 POST?

From several IP addresses my Apache 2.4 server got this entry turn in the logs. For the 88.* address I saw 178 entries. The timing interval is between 120 and 123 seconds, generally 122. 88.207.37....
Josh's user avatar
  • 181
2 votes
1 answer
154 views

DSquery on AD share leaking company infomation

Today i found DSquery on one of my smb shares at work. I ran it to query users and since my company uses IC numbers as the unique CN, i got to see all my colleagues ICs which is a breach of personal ...
jia chen's user avatar
  • 121
69 votes
8 answers
15k views

A previous IT worker probably left some backdoors. How can I eliminate them? [duplicate]

I started working for a company that fired a previous IT worker for leaking data. I can only say the following things: We use a Firebird DB with an application written by another company, Proxmox, ...
user2265690's user avatar
3 votes
1 answer
984 views

What is a reverse proxy exploit?

On this question I found this particular part of code in an Apache configuration file: # rewrite rule to prevent proxy exploit RewriteCond %{REQUEST_URI} !^$ RewriteCond %{REQUEST_URI} !^/ ...
adelriosantiago's user avatar
1 vote
0 answers
47 views

netstats shows my own server is hitting a server its not supposed to know about

On AWS I have a few dedicated servers that do image processing, and they seem to get high traffic and fail. When running netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n I ...
Niro's user avatar
  • 1,561
0 votes
1 answer
1k views

How to prevent DOS attack on xmlrpc.php

We've been having trouble recently with a DOS attack on our main website, which is run using Apache httpd 2.2.9 and Drupal 6.35. The attack is a post to Dupal's xmlrpc.php, which is a known exploit ...
Jack BeNimble's user avatar
0 votes
1 answer
2k views

Exploit PHP File Found in /tmp directory [duplicate]

I have been alerted to by our system that a PHP shell has been found in the /tmp directory. Firstly - I would like to know how it could have got here and why it would be here - is there any way PHP ...
Chris's user avatar
  • 1,289
2 votes
1 answer
974 views

what server functions are affected by the GHOST vulnerability? [closed]

CVE-2015-0235, aka "GHOST", is a buffer overflow in glibc. It specifically affects the gethostbyname functions, which are apparently obsolete but still in use. Obviously the best option is to update ...
Foo Bar's user avatar
  • 161
3 votes
2 answers
8k views

Yum reports updated bash but binary still reports old version

I'm trying to update a CentOS 5 system in order to patch the bash vulnerability described in CVE-2014-6271 / RHSA-2014:1293-1, but am running into an issue. After seemingly-successfully updating bash ...
Richard Szalay's user avatar
16 votes
4 answers
23k views

How do I patch RHEL 4 for the bash vulnerabilities in CVE-2014-6271 and CVE-2014-7169?

A mechanism for remote code execution through Bash has been widely reported yesterday and today (September 24, 2014.) http://seclists.org/oss-sec/2014/q3/650 Reported as CVE-2014-7169 or CVE-2014-6271 ...
Bob Brown's user avatar
  • 273
1 vote
0 answers
1k views

Understanding & Resolving Web Server Exploits

We recently had someone contact our company pointing out that we had numerous security threats that could be used to exploit our systems. They were nice enough to provide a list of these to which we ...
Aidan Knight's user avatar
-1 votes
1 answer
828 views

how to mitigate hackers trying to find an exploit? [closed]

I have a Rails application running in a webserver inside my company, and now and then I see this messages on log: I, [2014-09-04T06:15:33.057513 #37024] INFO -- : Started GET "/pma/scripts/setup.php"...
Luiz E.'s user avatar
  • 111
10 votes
1 answer
13k views

How to check if my Supermicro IPMI is compromised with plaintext admin password over the web?

I've some Supermicro servers with IPMI running, and as described in this blog (http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras) there's a critical vulnerability to ...
Vinícius Ferrão's user avatar
0 votes
1 answer
69 views

OpenSSL certificates

Since the recent surfacing of the heartbleed exploit, I have become curious as to how long openssl certificates are usually kept before they are regenerated? Is it days, weeks, months, years? I can't ...
ddaa's user avatar
  • 1
0 votes
1 answer
814 views

Ramnode was hacked SolusVM zero day exploit (what should I customer do?) [duplicate]

So, ramnode was compromised, some kid used zero day exploit to gain access and rm -rf. I'm really happy how ramnode team handled situation, finally my VPS was restored and it is back online. I've a ...
user avatar
1 vote
1 answer
1k views

MySQL root password changed by someone or app self [duplicate]

I have a server that is accessible to the public, but i've been 3 times I was in the locker MySQL root password by someone else, who knows the password that's only me. I've checked on the server disk ...
user avatar
2 votes
1 answer
557 views

What sort of attack URL is this?

I set up a website with my own custom PHP code. It appears that people from places like Ukraine are trying to hack it. They're trying a bunch of odd accesses, seemingly to detect what PHP files I've ...
Asker's user avatar
  • 41
2 votes
2 answers
433 views

Is there any risks by using cat to read a value from a untrusted file

I need to get a variable value by reading from user uploaded text file. I am doing from a system's script: resourceVersion=`cat userFile.txt` mkdir $resourceVersion ... Can the content of this file ...
Johnny Everson's user avatar
0 votes
1 answer
2k views

Windows Task Scheduler Security Issue [closed]

Using the Windows Task Scheduler allows non-administrator users to gain access to administrative rights. Normally, Windows prevents execute applications which need to have more rights. A message ...
System.Data's user avatar
1 vote
1 answer
731 views

Plesk Qmail Queue Exploding From Possible Webform Attack

The qmail queue on my server (running Plesk on CentOS 5.2) balloons up to 120,000+ messages in the queue overnight. The messages in the queue are obviously spam. I've cleared them out over the last ...
ChiCgi's user avatar
  • 163
2 votes
1 answer
4k views

Applying memory limits to screen sessions

You can set memory usage limits for standard Linux applications in: /etc/security/limits.conf Unfortunately, I previously thought these limits only apply to user applications and not system services. ...
xikkub's user avatar
  • 149
2 votes
2 answers
612 views

Exploit in translators.html of phpMyAdmin

Is there an exploit in the translators.html file of phpMyAdmin? The reason I ask is I have Bad Behavior installed on a server, and that server has a web app that the main index.php ends up handling ...
MiquelFire's user avatar
3 votes
2 answers
3k views

Giving other users write access to apache logs can result in root exploit - How does this work?

On http://httpd.apache.org/docs/2.2/logs.html Anyone who can write to the directory where Apache is writing a log file can almost certainly gain access to the uid that the server is started as, ...
Gabe Martin-Dempesy's user avatar
-1 votes
1 answer
668 views

How do I figure out how the "Pharma Hack" hackers are gaining access to my site?

One of my sites has been the continuous target of the "Pharma Hack" - but it's using Drupal instead of Wordpress or Joomla. It is version 6, but it's updated to the latest version, and so are all of ...
Ken's user avatar
  • 1
0 votes
2 answers
6k views

Apache/PHP root exploit

Because of insecure handling of uploaded files, an attacker was able to run php code on my server (CentOS 5.4) That issue has been fixed, but while he was connected he appears to have modified a file ...
anon coward's user avatar
7 votes
1 answer
3k views

Safest ciphers to use with the BEAST? (TLS 1.0 exploit) I've read that RC4 is immune

Now that the BEAST is public knowledge, TLS 1.0 is NOT safe to use (nor is SSL 3.0). I have seen reports that the RC4 cipher is unaffected (and is widely supported). Is that true? I know that TLS 1.1 ...
unixman83's user avatar
  • 1,972
4 votes
1 answer
8k views

Apache - disable range requests - disadvantages?

As there is a working exploit against Apache's byte range implementation (CVE-2011-3192, see here), I'd like to disable it until official patches are shipped with my distros (Debian, Ubuntu). The ...
maff's user avatar
  • 301
2 votes
2 answers
1k views

Simple working example of a Man-in-the-Middle attack?

I'm trying to research and patch a TLS renegotiation exploit which makes a website vulnerable to Man-in-the-Middle attacks. However, I don't understand how the attack occurs exactly and feel like a ...
Socrates's user avatar
4 votes
2 answers
380 views

Is my Exim vulnerable to the recent remote exploit (CVE-2011-1764)?

CentOS using yum to update Exim. Exim is configured to not allow remote connections using the local_interfaces config option. My old version was 4.63-5.el5_5.2 and after using: yum update exim it ...
user69904's user avatar
  • 241
0 votes
1 answer
171 views

Protect against silent1.pl Perl Script

I operate a small shared hosting area. While I notice that people are unable/struggle to exploit with PHP I have found a small minority of people using Perl in order to obtain server information. So, ...
Chris's user avatar
  • 1,289
1 vote
2 answers
3k views

Ubuntu Server hack

I looked at netstat and I noticed that someone besides me is connected to the server by ssh. I looked after this because my user has the only one ssh access. I found this in an ftp user .bash_history ...
user avatar
0 votes
1 answer
819 views

Apache trailing slash added to files problem

I am having a problem with Apache. What it does is this: Take /index.php file containing an code with src set to relative path myimg.jpg, both in the root of my server. So, www.mysite.com would show ...
Francisc's user avatar
  • 153
2 votes
1 answer
3k views

What is the EGG environment variable?

A user on our (openSuSE) linux systems attempted to run sudo, and triggered an alert. He has the environment variable EGG set - EGG=UH211åH1ÒH»ÿ/bin/shHÁSH211çH1ÀPWH211æ°;^O^Ej^A_j<X^O^EÉÃÿ This ...
Randall's user avatar
  • 339
0 votes
1 answer
333 views

grsecurity effieffectiveness test with latest proftpd remote exploit

i just tested grsecurity. i installed debian and a vulnerable version of proftpd. i launched an exploit. worked. patched the latest kernel with grsec. and now the exploit doesnt work anymore. BUT . ...
baj's user avatar
  • 139
1 vote
3 answers
575 views

What exploit is this?

Our company site just went live and the very first entry in access.log looks like a tentative exploit :) Any idea on which one it could be? Here's the relevant line: 79.168.7.121 - - [28/Jan/2011:13:...
Joril's user avatar
  • 1,689
5 votes
3 answers
1k views

Weird set of shell commands in root's .bash_history

I have probably just detected that a user on a server of mine has rooted my server, but that's not what I'm asking. Has anyone ever seen command like these: echo _EoT_0.249348813417008_; id; echo ...
mr.b's user avatar
  • 593
0 votes
2 answers
91 views

images security

How I can check all my images on server, they don't prepared with maulicious code ? I mean for example Gif PHP exploits and so on...
astropanic's user avatar
1 vote
1 answer
862 views

exploit.so dmesg errors

A server (which has since been pulled offline and is scheduled to be wiped) was compromised through ssh brute force. No root/su/sudo access was gained but I started observing these errors (pasted ...
b3nw's user avatar
  • 13