1 |
Montag, 28. Februar 2022 13:04: |
2 |
|
3 |
> On Monday, February 28, 2022, John Covici <covici@××××××××××.com> wrote: |
4 |
|
5 |
>> I got the following error this morning during my logwatch processing |
6 |
>> which I run daily and I would like to know if there is anything I can |
7 |
>> should do about it? Seems to me it could be serious, if someone has |
8 |
>> penetrated my server. |
9 |
|
10 |
>> A total of 4 possible successful probes were detected (the following |
11 |
>> URLs |
12 |
>> contain strings that match one or more of a listing of strings that |
13 |
>> indicate a possible exploit): |
14 |
|
15 |
>> /?f=../../../../../../../../../etc/passwd HTTP Response 200 |
16 |
>> /?file=../../../../../../../../../etc/passwd HTTP Response 200 |
17 |
>> /?filename=../../../../../../../../../etc/passwd HTTP |
18 |
>> Response 200 |
19 |
>> /?id=../../../../../../../../../etc/passwd HTTP Response |
20 |
|
21 |
> If you put that url in a browser does it show your passwd file? I assume because the logs say 200 it will. If so shut down the httpd and reset all the passwords |
22 |
|
23 |
> Check your httpd config… seems odd that an old attack like this would still work. If /etc/passwd still contains passwords in a usable format, you've asked to |
24 |
be hacked for a long time. |
25 |
|
26 |
Assuming that the actual passwords are in /etc/shadow, you might still want to |
27 |
take a look at changing the usernames stored in /etc/passwd, because now the attacker |
28 |
knows which accounts to target. |
29 |
|
30 |
account1:x:1023:1024:...:/home/account1:/bin/bash |
31 |
account2:x:244:244:...:/home/account2:/sbin/nologin |
32 |
|
33 |
If I had to get into your system, I'd concentrate on account1, as it has an actual |
34 |
login shell, which might be used by a human, so it might even use an "easy" password. |
35 |
|
36 |
s. |