From aldeid
Jump to navigation Jump to search

WEB-MISC /etc/passwd


Id 1122
Alert WEB-MISC /etc/passwd
Classification attempted-recon


The passwd file usually found in the /etc/ directory on UNIX based systems, contains login information for users of a host. If shadow password files are not being used, an attacker could obtain valid login information for the system by using widely available password cracking tools on the file.

The file may also be used to garner information that may be used in brute force password guessing attacks against the host.

Affected systems

All UNIX based systems running a Web Server.


Information gathering.

False positives

None known.


The attacker can make a standard HTTP request that contains '/etc/passwd' in the URI.


An access to triggers following alert:

[**] [1:1122:6] WEB-MISC /etc/passwd [**]
[Classification: Attempted Information Leak] [Priority: 2]
09/19-13:32:59.035764 70.87.***.***:48000 -> 192.168.***.**:80
TCP TTL:49 TOS:0x0 ID:38100 IpLen:20 DgmLen:444 DF
***AP*** Seq: 0xDD6986A0  Ack: 0x6EE8A73D  Win: 0x16D0  TcpLen: 32
TCP Options (3) => NOP NOP TS: 579932765 15698594

Corrective actions

  • Webservers should not be allowed to view or execute files and binaries outside of it's designated web root or cgi-bin. This file may also be requested on a command line should the attacker gain access to the machine. Making the file read only by the superuser on the system will

disallow viewing of the file by other users.