[kwlug-disc] Identify this exploit?
Khalid Baheyeldin
kb at 2bits.com
Sat Dec 28 14:40:57 EST 2019
On Sat, Dec 28, 2019 at 2:33 PM Paul Nijjar wrote:
> So it is a generic attack and not a particular CVE they are trying to
> exploit?
It depends on a vulnerable component, in this case download.php which
was badly written or a PHP installation that was configured incorrectly.
It is weird that they are choosing that particular number of
> traversals to get to /etc/passwd.
>
Probably guessing, based on common directory structures at hosting company,
and maybe they will try various variations.
I agree with Mikalai that the Internet is terrifying.
>
Absolutely terrifying! I have been saying this for several years. The
number of
automated scripts that exploit various vulnerabilities is immense.
Things I do to minimize the risks:
- Install the minimum components required for your application(s) to run,
and nothing more
- Check the logs daily (I use logwatch, emailing a daily report per host).
- Block IP addresses trying to login via SSH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20191228/f87087d0/attachment.htm>
More information about the kwlug-disc
mailing list