Welcome to Geeklog Saturday, June 23 2018 @ 04:26 am EDT

IDS logging attacks from my own web site!

  • Contributed by:
  • Views: 4,304

This isn’t a complaint, just thought it was interesting. I use Geeklog for my hosted site, I was going through the logs on my home firewall and noticed that the IDS (Intrusion Detection System) was showing attacks coming from my website. It logged the attack as “WEB-PHP content-disposition” I researched the attack and found that it was a Buffer Overflow venerability that affected PHP 3-4.2 here is what I found on Securityfocus.com about the attack:

“PHP is a widely deployed scripting language, designed for web based development and CGI programming. PHP does not perform proper bounds checking on in functions related to Form-based File Uploads in HTML (RFC1867). Specifically, this problem occurs in the functions which are used to decode MIME encoded files. As a result, it may be possible to overrun the buffer used for the vulnerable functions to cause arbitrary attacker-supplied instructions to be executed. PHP is invoked through webservers remotely. It may be possible for remote attackers to execute this vulnerability to gain access to target systems. A vulnerable PHP interpreter module is available for Apache servers that is often enabled by default.”

Apparently whenever I upload a pic or file to my site the IDS running on my firewall logs it as an attack attempt. I’m not worried about it doesn’t seem to be affecting file uploads (I don’t see any dropped packets from my site in the FW logs) and it’s only logging it when I upload files, I just thought it was interesting. By the way Geeklog rocks!