Hi!

This isn't really an attack against a blog or blog type per se, it's a
directory transversal or Local File Inclusion type attack to get access to
files that one normally wouldn't have access to, such as the '/etc/passwd'
file in this case.

You'd use some of the same code to issue commands to a server and all kinds
of other 'fun' things.


As to the types of attacks I see the most, it's usually folks looking for
Proxies or people looking for database access through phpmyadmin.

:)
Missy



On 9/22/08 12:50 PM, "Eric Weston" <[log in to unmask]> wrote:

> We host a blog, running on B2Evolution (Apache Linux), and I see one
> particular expoit attempt in our logs a great deal. It doesn't work
> against our blog instance, but since I see this attempted so often, I
> figure it either is effective against earlier versions of b2evolution,
> or perhaps against some other blog software. I see lots of variations of
> it, but they are all GET requests for something like:
> 
> our.blog.url/index.php?blog=../../../../../../../etc/passwd
> 
> Sometimes the URL variable name is different, or some other variation.
> 
> Anyone know what blog software is or was vulnerable to this attack?
> 
> Also, what are the most common attacks/probes you see against Apache
> webservers? I'm making a top five list. (I've read "High Fidelity",
> obviously)
> 
>              Thanks,
>                       E.B.W.