[Mailman-Users] message about probes

Mark Sapiro mark at msapiro.net
Wed Apr 29 15:54:35 CEST 2009

Gruver, Sandi wrote:

>>From the mailman server's Logwatch program:
>A total of 1 sites probed the server
>!!!! 2 possible successful probes
> /mailman/private/sqlhelp///includes/session.php?baseDir=../../../../../../../../etc/passwd HTTP Response 200
> /mailman/admin///includes/session.php?baseDir=../../../../../../../../etc/passwd HTTP Response 200
>Is this likely a probe only or a notification of a compromise?

I saw the same thing in my Logwatch the other day. These messages are
reported in the httpd report. This is suspicious from the httpd point
of view because of the 200 response to the multi "../" URL, but if you
look in Mailman's error log, you'll see entries like 'No such list
"includes":' and 'No such list "sqlhelp":' corresponding to these
because the Mailman CGI's protect against these attacks.

All the attacker got was a "non-existent list" page from Mailman.

Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the Mailman-Users mailing list