Montag, 28. Februar 2022 13:04: > On Monday, February 28, 2022, John Covici <cov...@ccs.covici.com> wrote:
>> I got the following error this morning during my logwatch processing >> which I run daily and I would like to know if there is anything I can >> should do about it? Seems to me it could be serious, if someone has >> penetrated my server. >> A total of 4 possible successful probes were detected (the following >> URLs >> contain strings that match one or more of a listing of strings that >> indicate a possible exploit): >> /?f=../../../../../../../../../etc/passwd HTTP Response 200 >> /?file=../../../../../../../../../etc/passwd HTTP Response 200 >> /?filename=../../../../../../../../../etc/passwd HTTP >> Response 200 >> /?id=../../../../../../../../../etc/passwd HTTP Response > If you put that url in a browser does it show your passwd file? I assume > because the logs say 200 it will. If so shut down the httpd and reset all > the passwords > Check your httpd config… seems odd that an old attack like this would still > work. If /etc/passwd still contains passwords in a usable format, you've > asked to be hacked for a long time. Assuming that the actual passwords are in /etc/shadow, you might still want to take a look at changing the usernames stored in /etc/passwd, because now the attacker knows which accounts to target. account1:x:1023:1024:...:/home/account1:/bin/bash account2:x:244:244:...:/home/account2:/sbin/nologin If I had to get into your system, I'd concentrate on account1, as it has an actual login shell, which might be used by a human, so it might even use an "easy" password. s.