| 1 |
Montag, 28. Februar 2022 13:04: |
| 2 |
|
| 3 |
> On Monday, February 28, 2022, John Covici <covici@××××××××××.com> wrote: |
| 4 |
|
| 5 |
>> I got the following error this morning during my logwatch processing |
| 6 |
>> which I run daily and I would like to know if there is anything I can |
| 7 |
>> should do about it? Seems to me it could be serious, if someone has |
| 8 |
>> penetrated my server. |
| 9 |
|
| 10 |
>> A total of 4 possible successful probes were detected (the following |
| 11 |
>> URLs |
| 12 |
>> contain strings that match one or more of a listing of strings that |
| 13 |
>> indicate a possible exploit): |
| 14 |
|
| 15 |
>> /?f=../../../../../../../../../etc/passwd HTTP Response 200 |
| 16 |
>> /?file=../../../../../../../../../etc/passwd HTTP Response 200 |
| 17 |
>> /?filename=../../../../../../../../../etc/passwd HTTP |
| 18 |
>> Response 200 |
| 19 |
>> /?id=../../../../../../../../../etc/passwd HTTP Response |
| 20 |
|
| 21 |
> If you put that url in a browser does it show your passwd file? I assume because the logs say 200 it will. If so shut down the httpd and reset all the passwords |
| 22 |
|
| 23 |
> Check your httpd config… seems odd that an old attack like this would still work. If /etc/passwd still contains passwords in a usable format, you've asked to |
| 24 |
be hacked for a long time. |
| 25 |
|
| 26 |
Assuming that the actual passwords are in /etc/shadow, you might still want to |
| 27 |
take a look at changing the usernames stored in /etc/passwd, because now the attacker |
| 28 |
knows which accounts to target. |
| 29 |
|
| 30 |
account1:x:1023:1024:...:/home/account1:/bin/bash |
| 31 |
account2:x:244:244:...:/home/account2:/sbin/nologin |
| 32 |
|
| 33 |
If I had to get into your system, I'd concentrate on account1, as it has an actual |
| 34 |
login shell, which might be used by a human, so it might even use an "easy" password. |
| 35 |
|
| 36 |
s. |
Archives