Snort-alerts/WEB-MISC-etc-password
Jump to navigation
Jump to search
WEB-MISC /etc/passwd
Identification
| Id | 1122 |
|---|---|
| Alert | WEB-MISC /etc/passwd |
| Classification | attempted-recon |
Trigger
The passwd file usually found in the /etc/ directory on UNIX based systems, contains login information for users of a host. If shadow password files are not being used, an attacker could obtain valid login information for the system by using widely available password cracking tools on the file.
The file may also be used to garner information that may be used in brute force password guessing attacks against the host.
Affected systems
All UNIX based systems running a Web Server.
Impact
Information gathering.
False positives
None known.
Scenario
The attacker can make a standard HTTP request that contains '/etc/passwd' in the URI.
Example
An access to http://www.site.com/?path=../../../etc/passwd triggers following alert:
[**] [1:1122:6] WEB-MISC /etc/passwd [**] [Classification: Attempted Information Leak] [Priority: 2] 09/19-13:32:59.035764 70.87.***.***:48000 -> 192.168.***.**:80 TCP TTL:49 TOS:0x0 ID:38100 IpLen:20 DgmLen:444 DF ***AP*** Seq: 0xDD6986A0 Ack: 0x6EE8A73D Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 579932765 15698594
Corrective actions
- Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This file may also be requested on a command line should the attacker gain access to the machine. Making the file read only by the superuser on the system will
disallow viewing of the file by other users.
- For even more security, you could also chroot-jail your web server. See http://www.faqs.org/docs/securing/chap29sec254.html for more information on chrooting Apache.