Crack attempt trying to grab the passwd file
Hello --
One of our servers was subjected to a crack attempt that tried to grab the /etc/passwd file. The file does not appear to have been touched due to the timestamp on the file not being of a recent date. However, just to make sure, I wanted to know if there are other tests that can be done to verify this. One thought that I had was the following: The server is regularly backed up, and I could do a restore of an older version of the passwd file to a temporary directory. Once there, the diff command could be used to compare the two files. |
You could compare but with the timestamps more than likely nothing was modified. However, the timestamps won't tell you if it was read successfully by the request which would give the cracker the list of user accounts set up on the server. The /etc/passwd file is world readable by default so it could be read by any other user that attempted to get it. Wikipedia has some info on this type of attack: http://en.wikipedia.org/wiki/Directory_traversal_attack
You can do some searching on how to prevent this but its usually only prevented with input sanitation done on the web server level. |
Quote:
Being as verbose as possible would be appreciated. |
Hello --
I was informed of the attack via e-mail from our Information Security team. The text of the e-mail is shown below: Quote:
|
Changing passwords now and often may help.
Not sure how much help a modern linux disto's file is vulnerable to a common hacker even. |
You have the event date and time. Look at your Apache error and access logs for a query that contains passwd and, or shadow, probably with a bunch of ../../ in it. Normally, a user should not be able to browse outside of the document path, but it is prudent to see if access to this file were gained.
|
//Also don't forget the recent CVE-2012-1823.
|
All times are GMT -5. The time now is 03:16 AM. |