Quoth latin...@resist.ca:
> > Quoth latin...@resist.ca:
> >> Hello
> >>
> >> i found today these lines, is it something to be worry please?
> >>
> >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:03 -0700] "GET
> >> /.well-known/security.txt HTTP/1.1" 404 0
> >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:03 -0700] "GET
> >> /?file=../../../../../../etc/passwd HTTP/1.1" 200 7591
> >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:04 -0700] "GET
> >> /?file=../../../../etc/passwd HTTP/1.1" 200 7591
> >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:04 -0700] "GET
> >> /?inc=../../../../etc/passwd HTTP/1.1" 200 7591
> >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:04 -0700] "GET
> >> /?include=../../../../etc/passwd HTTP/1.1" 200 7591
> >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:04 -0700] "GET
> >> /?layout=../../../../etc/passwd HTTP/1.1" 200 7591
> >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:05 -0700] "GET
> >> /?module=../../../../etc/passwd HTTP/1.1" 200 7591
> >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:05 -0700] "GET
> >> /?page=../../../../etc/passwd HTTP/1.1" 200 7591
> >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:05 -0700] "GET
> >> /?path=../../../../../../boot.ini HTTP/1.1" 200 7591
> >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:05 -0700] "GET
> >> /?template=../../../../etc/passwd HTTP/1.1" 200 7591
> >> agroena.org 185.177.72.16 - - [09/Jul/2025:13:06:06 -0700] "GET
> >> /?view=../../../../etc/passwd HTTP/1.1" 200 7591
> >>
> >
> > Nope, just another bot trying to pry into your secrets. you'll see
> > similar failed attempts to break into your system if you look in
> > /var/log/authlog (assuming you have ssh listening on port 22). As
> > long as you have a secure setup and don't serve your passwords over
> > HTTP (as that's what the bot is trying to grab) you'll be fine.
> >
> > --
> > noodle
> >
> >
> Thank you noodle, i was cautious because of the 200 which appears when
> someone access the web page.
>
No problem. Oh, I just noticed the HTTP 200 response code. I tried to
reproduce the bot's GET requests locally with this config:
server "default" {
listen on localhost port 80
root "/htdocs/pastanoggin.com"
}
And I can confirm that I get HTTP 200 too. I guess in this case, it
just drops the query-string (like the /?file=../../../../etc/passwd
part of the bot's request) and serves the remaining path of / which is
a HTTP 200 because I have an index.html under /htdocs/pastanoggin.com.
That should be also why it replies with HTTP 404 when the bot tries to
GET /.well-known/security.txt as it doesn't exist but / does.
If you're doing CGI, things would be a bit different. The reasoning
for HTTP response codes would depend more on your cgi script, etc.
--
noodle
