Possible scan in the logs

Discussion in 'ISPConfig 3 Priority Support' started by pvanthony, Dec 30, 2023.

  1. pvanthony

    pvanthony Active Member HowtoForge Supporter

    In the logwatch email got the following.
    --------------------- httpd Begin ------------------------
    A total of 1 possible successful probes were detected (the following URLs
    contain strings that match one or more of a listing of strings that
    indicate a possible exploit):

    /?2aCxoellA5ZJNBlKL4HbrMZhrdW=../../../../../../../../etc/passwd&2aCxoellA5ZJNBlKL4HbrMZhrdW=1%20and%20updatexml(1,concat(0x7e,(select%20md5(73249))),1) HTTP Response 200
    ---------------------- httpd End -------------------------
    How to decode the above?
    What is it doing?
    Need advice.
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Cracker tried to access file /etc/passwd by issuing those commands. By going towards root of file system with ../ and ../../ etc, he or she tries to find the /etc/passwd file. The passwd file has usernames, so further cracking activities would target those usernames.
    It fails though, at least if you have jailed the website since the jail does not have the real /etc/passwd file. I believe if you have set ISPConfig the usual way, passwd file can not be accessed via the website even if jail is not used.
    Your server probably gets these all the time, perhaps you just now installed logwatch or happened to notice this.
    Old discussion: https://forum.howtoforge.com/threads/possible-successful-probes-etc-passwd.79487/
    pvanthony likes this.
  3. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Thank you very much for the advice and link.
    phew!!! Sigh of relieve.
    I was stressed out and your reply was really helpful for me.

Share This Page