On Monday, February 28, 2022, John Covici <[email protected]> wrote:
> I got the following error this morning during my logwatch processing > which I run daily and I would like to know if there is anything I can > should do about it? Seems to me it could be serious, if someone has > penetrated my server. > > A total of 4 possible successful probes were detected (the following > URLs > contain strings that match one or more of a listing of strings that > indicate a possible exploit): > > /?f=../../../../../../../../../etc/passwd HTTP Response 200 > /?file=../../../../../../../../../etc/passwd HTTP Response 200 > /?filename=../../../../../../../../../etc/passwd HTTP > Response 200 > /?id=../../../../../../../../../etc/passwd HTTP Response > If you put that url in a browser does it show your passwd file? I assume because the logs say 200 it will. If so shut down the httpd and reset all the passwords Check your httpd config… seems odd that an old attack like this would still work.
