[Mailman-Users] message about probes

Stephen J. Turnbull stephen at xemacs.org
Wed Apr 29 09:20:09 CEST 2009

Gruver, Sandi writes:

 > !!!! 2 possible successful probes
 >  /mailman/private/sqlhelp///includes/session.php?baseDir=../../../../../../../../etc/passwd HTTP Response 200
 >  /mailman/admin///includes/session.php?baseDir=../../../../../../../../etc/passwd HTTP Response 200
 > Is this likely a probe only or a notification of a compromise?

That depends on the semantics of session.php (which AFAIK is *not*
distributed by Mailman, so you should ask the vendor of that script
for support).  It's possible that session.php successfully returned a
page (thus giving an HTTP OK response) but the content of the page was
an empty index of available files and a search box or something like
that, or even an error message like "there's nothing here for you to
look at; please check your URL and try again."  (That wouldn't
necessarily be a "404 Not found" because session.php itself was found
and executed without a program error.)

However, I would assume that the attacker is probing via session.php
because it does effect a compromise, eg, returning the contents of
/etc/passwd.  That is a compromise even if there are no passwords
there; it returns the system identities of your users, and that is
unquestionably useful for planning further attacks as many network
servers run under their own ids, and if there are regular users, they
are subject to targeting for various kinds of login attempts.

More information about the Mailman-Users mailing list