Montag, 28. Februar 2022 13:04:
On Monday, February 28, 2022, John Covici <covici@ccs.covici.com> wrote:
I got the following error this morning during my logwatch processing
which I run daily and I would like to know if there is anything I can
should do about it? Seems to me it could be serious, if someone has
penetrated my server.
A total of 4 possible successful probes were detected (the following
URLs
contain strings that match one or more of a listing of strings that
indicate a possible exploit):
/?f=../../../../../../../../../etc/passwd HTTP Response 200
/?file=../../../../../../../../../etc/passwd HTTP Response 200 >> /?filename=../../../../../../../../../etc/passwd HTTP >> Response 200
/?id=../../../../../../../../../etc/passwd HTTP Response
If you put that url in a browser does it show your passwd file? I assume because the logs say 200 it will. If so shut down the httpd and reset all the passwords
Check your httpd config… seems odd that an old attack like this would still work. If /etc/passwd still contains passwords in a usable format, you've asked to
be hacked for a long time.
Assuming that the actual passwords are in /etc/shadow, you might still want to take a look at changing the usernames stored in /etc/passwd, because now the attacker
knows which accounts to target.
account1:x:1023:1024:...:/home/account1:/bin/bash account2:x:244:244:...:/home/account2:/sbin/nologin
If I had to get into your system, I'd concentrate on account1, as it has an actual
login shell, which might be used by a human, so it might even use an "easy" password.
s.
<html><head> <style type="text/css" title="rt_noDelete">
blockquote.rt {
margin: 0 0 15px;
border-left: 4px solid #81c784;
padding: 0 0 0 12px;
display: block;
}
p { margin: 0 0 0 0 }
.email-signature {font-family:"Consolas"; font-size: 10pt; font-style: italic; font-weight: normal; text-decoration: none; }
</style><STYLE type="text/css" title="rt">BODY {margin: 10; font-family:"Consolas"; font-size: 10pt; color: #000000}
P {margin: 0; font-family:"Consolas"; font-size: 10pt; color: #000000} PRE.RFCheader {font-family:"Consolas"; font-size: 10pt; color: #B73A67} .email-signature { color: #424242; font-style: italic;font-weight: normal;text-decoration: none }
A {color: #0066CC; link: #0066CC; font-style: normal;font-weight: normal;text-decoration: underline }
BLOCKQUOTE.Odd {font-family:"Consolas"; font-size: 10pt; color: #9AA626; font-style: italic;font-weight: bold;text-decoration: none }
BLOCKQUOTE.Even {font-family:"Consolas"; font-size: 10pt; color: #50AF4C; font-style: italic;font-weight: bold;text-decoration: none }
.QOdd {font-family:"Consolas"; font-size: 10pt; color: #9AA626; font-style: normal;font-weight: normal;text-decoration: none }
.QEven {font-family:"Consolas"; font-size: 10pt; color: #50AF4C; font-style: normal;font-weight: normal;text-decoration: none }
PRE {font-family:"Consolas"; font-size: 10pt; font-style: normal;font-weight: normal;text-decoration: none }
BODY {background-color: #FFFFFF}
</STYLE></head><body><p class="norm" style="font-size:11pt;"></p><p class="norm" style="font-size:11pt;">Montag, 28. Februar 2022 13:04:<br/>
</p><p class="norm" style="font-size:11pt;"><br/></p><p class="norm" style="font-size:11pt;"></p><blockquote class="rt"><br/><br/>On Monday, February 28, 2022, John Covici <<a href="mailto:
covici@ccs.covici.com">
covici@ccs.covici.com</a>> wrote:<br/
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I got the following error this morning during my logwatch processing<br/>
which I run daily and I would like to know if there is anything I can<br/> should do about it? Seems to me it could be serious, if someone has<br/> penetrated my server.<br/>
<br/>
A total of 4 possible successful probes were detected (the following<br/> URLs<br/>
contain strings that match one or more of a listing of strings that<br/> indicate a possible exploit):<br/>
<br/>
/?f=../../../../../../../../..<wbr/>/etc/passwd HTTP Response 200<br/>
/?file=../../../../../../../..<wbr/>/../etc/passwd HTTP Response 200<br/>
/?filename=../../../../../../.<wbr/>./../../etc/passwd HTTP<br/>
Response 200<br/>
/?id=../../../../../../../../.<wbr/>./etc/passwd HTTP Response<br/>
</blockquote><div><br/></div><div>If you put that url in a browser does it show your passwd file? I assume because the logs say 200 it will. If so shut down the httpd and reset all the passwords </div><div><br/></div><div>Check your httpd
config… seems odd that an old attack like this would still work. </div> </blockquote>If /etc/passwd still contains passwords in a usable format, you've asked to<p>be hacked for a long time.</p><p> </p><p>Assuming that the actual passwords are in /etc/shadow, you might still want to</p><p>take a look at changing the
usernames stored in /etc/passwd, because now the attacker</p><p>knows which accounts to target. </p><br/>
<p>account1:x:1023:1024:...:/home/account1:/bin/bash</p><p>account2:x:244:244:...:/home/account2:/sbin/nologin</p><p> </p><p>If I had to get into your system, I'd concentrate on account1, as it has an actual</p><p>login shell, which might be used by
a human, so it might even use an "easy" password.</p><p> </p><p>s.</p><p class="norm" style="font-size:11pt;"><br/></p><p class="norm" style="font-size:11pt;">
</p><p class="norm" style="font-size:11pt;"></p><p class="norm" style="font-size:11pt;"></p><p class="norm"><br/>
</p></body>
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)