1 |
On Monday, February 28, 2022, John Covici <covici@××××××××××.com> wrote: |
2 |
|
3 |
> I got the following error this morning during my logwatch processing |
4 |
> which I run daily and I would like to know if there is anything I can |
5 |
> should do about it? Seems to me it could be serious, if someone has |
6 |
> penetrated my server. |
7 |
> |
8 |
> A total of 4 possible successful probes were detected (the following |
9 |
> URLs |
10 |
> contain strings that match one or more of a listing of strings that |
11 |
> indicate a possible exploit): |
12 |
> |
13 |
> /?f=../../../../../../../../../etc/passwd HTTP Response 200 |
14 |
> /?file=../../../../../../../../../etc/passwd HTTP Response 200 |
15 |
> /?filename=../../../../../../../../../etc/passwd HTTP |
16 |
> Response 200 |
17 |
> /?id=../../../../../../../../../etc/passwd HTTP Response |
18 |
> |
19 |
|
20 |
If you put that url in a browser does it show your passwd file? I assume |
21 |
because the logs say 200 it will. If so shut down the httpd and reset all |
22 |
the passwords |
23 |
|
24 |
Check your httpd config… seems odd that an old attack like this would still |
25 |
work. |