In the logwatch email got the following. --------------------- httpd Begin ------------------------ A total of 1 possible successful probes were detected (the following URLs contain strings that match one or more of a listing of strings that indicate a possible exploit): /?2aCxoellA5ZJNBlKL4HbrMZhrdW=../../../../../../../../etc/passwd&2aCxoellA5ZJNBlKL4HbrMZhrdW=1%20and%20updatexml(1,concat(0x7e,(select%20md5(73249))),1) HTTP Response 200 ---------------------- httpd End ------------------------- How to decode the above? What is it doing? Need advice.
Cracker tried to access file /etc/passwd by issuing those commands. By going towards root of file system with ../ and ../../ etc, he or she tries to find the /etc/passwd file. The passwd file has usernames, so further cracking activities would target those usernames. It fails though, at least if you have jailed the website since the jail does not have the real /etc/passwd file. I believe if you have set ISPConfig the usual way, passwd file can not be accessed via the website even if jail is not used. Your server probably gets these all the time, perhaps you just now installed logwatch or happened to notice this. Old discussion: https://forum.howtoforge.com/threads/possible-successful-probes-etc-passwd.79487/
Thank you very much for the advice and link. phew!!! Sigh of relieve. I was stressed out and your reply was really helpful for me.
