Gentoo Archives: gentoo-user

From: Adam Carter <adamcarter3@×××××.com>
To: "gentoo-user@l.g.o" <gentoo-user@l.g.o>
Subject: Re: [gentoo-user] strange errors in http log, what can/should I do about it.
Date: Mon, 28 Feb 2022 12:04:19
Message-Id: CAC=wYCHYBxx-_vtmDh-iD3-Lmia3CMV3LDk7GB69kSQYTsLcUA@mail.gmail.com
In Reply to: [gentoo-user] strange errors in http log, what can/should I do about it. by John Covici
1 On Monday, February 28, 2022, John Covici <covici@××××××××××.com> wrote:
2
3 > I got the following error this morning during my logwatch processing
4 > which I run daily and I would like to know if there is anything I can
5 > should do about it? Seems to me it could be serious, if someone has
6 > penetrated my server.
7 >
8 > A total of 4 possible successful probes were detected (the following
9 > URLs
10 > contain strings that match one or more of a listing of strings that
11 > indicate a possible exploit):
12 >
13 > /?f=../../../../../../../../../etc/passwd HTTP Response 200
14 > /?file=../../../../../../../../../etc/passwd HTTP Response 200
15 > /?filename=../../../../../../../../../etc/passwd HTTP
16 > Response 200
17 > /?id=../../../../../../../../../etc/passwd HTTP Response
18 >
19
20 If you put that url in a browser does it show your passwd file? I assume
21 because the logs say 200 it will. If so shut down the httpd and reset all
22 the passwords
23
24 Check your httpd config… seems odd that an old attack like this would still
25 work.

Replies

Subject Author
Re[2]: [gentoo-user] strange errors in http log, what can/should I do about it. Stefan Schmiedl <s@×××.de>
Re: [gentoo-user] strange errors in http log, what can/should I do about it. Grant Taylor <gtaylor@×××××××××××××××××××××.net>