[kwlug-disc] Identify this exploit?

Paul Nijjar paul_nijjar at yahoo.ca
Sat Dec 28 14:33:33 EST 2019


So it is a generic attack and not a particular CVE they are trying to
exploit? It is weird that they are choosing that particular number of
traversals to get to /etc/passwd. 

I agree with Mikalai that the Internet is terrifying. I am not LXCing
all the things, but maybe that is the way to go. I am still not
certain how this protects me, though, since every LXC container is a
nice Linux target that needs to be kept updated on its own.

- Paul

On Sat, Dec 28, 2019 at 09:17:22AM -0500, CrankyOldBugger wrote:
> It looks like a path traversal attack:
> https://www.geeksforgeeks.org/path-traversal-attack-prevention/
> 
> 
> On Sat, 28 Dec 2019 at 01:50, Paul Nijjar via kwlug-disc <
> kwlug-disc at kwlug.org> wrote:
> 
> > In my Apache logs I saw something like this, and my search-engine
> > skills are weak:
> >
> > 133.18.209.124 - - [27/Dec/2019:04:09:39 -0500] "GET
> > /download.php?file=../../../../../../../../../../../../etc/passwd HTTP/1.1"
> > 404 209 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0)
> > Gecko/20100101 Firefox/62.0"
> >
> > It's pretty obvious what they are trying to do, but I am having
> > trouble figuring out what the target is, exactly. Is this an exploit
> > in a popular web package I should know about?
> >
> > - Paul
> >
> > --
> > Get tech event listings: https://off-topic.kwlug.org/watcamp
> > Blog: http://pnijjar.freeshell.org
> >
> > _______________________________________________
> > kwlug-disc mailing list
> > kwlug-disc at kwlug.org
> > http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> >

> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org


-- 
Get tech event listings: https://off-topic.kwlug.org/watcamp
Blog: http://pnijjar.freeshell.org




More information about the kwlug-disc mailing list