On Wed, Jul 09, 2025 at 10:30:59PM -0600, latin...@resist.ca wrote: > > Quoth latin...@resist.ca: > >> Hello > >> > >> i found today these lines, is it something to be worry please? > >> > >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:03 -0700] "GET > >> /.well-known/security.txt HTTP/1.1" 404 0 > >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:03 -0700] "GET > >> /?file=../../../../../../etc/passwd HTTP/1.1" 200 7591 > >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:04 -0700] "GET > >> /?file=../../../../etc/passwd HTTP/1.1" 200 7591 > >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:04 -0700] "GET > >> /?inc=../../../../etc/passwd HTTP/1.1" 200 7591 > >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:04 -0700] "GET > >> /?include=../../../../etc/passwd HTTP/1.1" 200 7591 > >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:04 -0700] "GET > >> /?layout=../../../../etc/passwd HTTP/1.1" 200 7591 > >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:05 -0700] "GET > >> /?module=../../../../etc/passwd HTTP/1.1" 200 7591 > >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:05 -0700] "GET > >> /?page=../../../../etc/passwd HTTP/1.1" 200 7591 > >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:05 -0700] "GET > >> /?path=../../../../../../boot.ini HTTP/1.1" 200 7591 > >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:05 -0700] "GET > >> /?template=../../../../etc/passwd HTTP/1.1" 200 7591 > >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:06 -0700] "GET > >> /?view=../../../../etc/passwd HTTP/1.1" 200 7591 > >> > > > > Nope, just another bot trying to pry into your secrets. you'll see > > similar failed attempts to break into your system if you look in > > /var/log/authlog (assuming you have ssh listening on port 22). As > > long as you have a secure setup and don't serve your passwords over > > HTTP (as that's what the bot is trying to grab) you'll be fine. > > > > -- > > noodle > > > > > Thank you noodle, i was cautious because of the 200 which appears when > someone access the web page.
The 200 return code just indicates that the server returned _something_ for the request. I.E. the request was completed without error. To help with future concerns: If / points to a static page on your server, then the arguments following the ? will be ignored and the server will just serve that page as normal. But in any case, you have the file size that was served - 7591 bytes. Is that the normal size of your / page or the size of your /etc/passwd? Since it returned the same length of 7591 for the request for boot.ini, it's almost certainly just serving your normal / page. Also, note that although /etc/passwd contains potentially useful information, the real hashed passwords are stored in /etc/master.passwd.
