Re: [gentoo-user] strange errors in http log, what can/should I do about it.
On 2/28/22 5:04 AM, Adam Carter wrote: If you put that url in a browser does it show your passwd file? I assume because the logs say 200 it will. If so shut down the httpd and reset all the passwords Note the question mark after the leading slash. As such, the path traversal component is for a query parameter, named f / file / filename / id. There is a reasonable chance that the web server returned the index / default page for the document root and that the query parameter didn't actually change any thing. With this in mind, it would be normal to return a 200 status code for the index / default page for the document root. Check your httpd config… seems odd that an old attack like this would still work. If this did return the actual contents of /etc/password then there is quite likely a different problem in that the index / default page is accepting query parameters as paths, independent of the HTTP daemon. Aside: +1 to everything that Stefan S. said. -- Grant. . . . unix || die
Re[2]: [gentoo-user] strange errors in http log, what can/should I do about it.
Montag, 28. Februar 2022 13:04: > On Monday, February 28, 2022, John Covici wrote: >> I got the following error this morning during my logwatch processing >> which I run daily and I would like to know if there is anything I can >> should do about it? Seems to me it could be serious, if someone has >> penetrated my server. >> A total of 4 possible successful probes were detected (the following >> URLs >> contain strings that match one or more of a listing of strings that >> indicate a possible exploit): >> /?f=../../../../../../../../../etc/passwd HTTP Response 200 >> /?file=../../../../../../../../../etc/passwd HTTP Response 200 >> /?filename=../../../../../../../../../etc/passwd HTTP >> Response 200 >> /?id=../../../../../../../../../etc/passwd HTTP Response > If you put that url in a browser does it show your passwd file? I assume > because the logs say 200 it will. If so shut down the httpd and reset all > the passwords > Check your httpd config… seems odd that an old attack like this would still > work. If /etc/passwd still contains passwords in a usable format, you've > asked to be hacked for a long time. Assuming that the actual passwords are in /etc/shadow, you might still want to take a look at changing the usernames stored in /etc/passwd, because now the attacker knows which accounts to target. account1:x:1023:1024:...:/home/account1:/bin/bash account2:x:244:244:...:/home/account2:/sbin/nologin If I had to get into your system, I'd concentrate on account1, as it has an actual login shell, which might be used by a human, so it might even use an "easy" password. s.
Re: [gentoo-user] strange errors in http log, what can/should I do about it.
On Monday, February 28, 2022, John Covici wrote: > I got the following error this morning during my logwatch processing > which I run daily and I would like to know if there is anything I can > should do about it? Seems to me it could be serious, if someone has > penetrated my server. > > A total of 4 possible successful probes were detected (the following > URLs > contain strings that match one or more of a listing of strings that >indicate a possible exploit): > > /?f=../../../../../../../../../etc/passwd HTTP Response 200 > /?file=../../../../../../../../../etc/passwd HTTP Response 200 >/?filename=../../../../../../../../../etc/passwd HTTP > Response 200 >/?id=../../../../../../../../../etc/passwd HTTP Response > If you put that url in a browser does it show your passwd file? I assume because the logs say 200 it will. If so shut down the httpd and reset all the passwords Check your httpd config… seems odd that an old attack like this would still work.
[gentoo-user] strange errors in http log, what can/should I do about it.
I got the following error this morning during my logwatch processing which I run daily and I would like to know if there is anything I can should do about it? Seems to me it could be serious, if someone has penetrated my server. A total of 4 possible successful probes were detected (the following URLs contain strings that match one or more of a listing of strings that indicate a possible exploit): /?f=../../../../../../../../../etc/passwd HTTP Response 200 /?file=../../../../../../../../../etc/passwd HTTP Response 200 /?filename=../../../../../../../../../etc/passwd HTTP Response 200 /?id=../../../../../../../../../etc/passwd HTTP Response 200 Thanks in advance for any suggestions. -- Your life is like a penny. You're going to lose it. The question is: How do you spend it? John Covici wb2una cov...@ccs.covici.com