Past expoits, new trend? [Attempted retrieval of /etc/passwd in httpd logs]

There isn’t precisely a flood of traffic on this site, so I occasionally take a gander through the logs. The webserver logs are invariably besought with a somnolent assortment of search engine crawls, spam postings, impotent securty attacks, footling scans, and – if I’m lucky – a few “real” page views. Today amongst the clutter, I saw something of some meagre interest. Someone had tried what would at first glances seem an antiquated attack: trying to retrieve the /etc/passwd file c.f. Firewalls and Internet Security: Repelling the Wily Hacker; Cheswick & Bellovin.  The appropriate line from my httpd log is as follows:

62.1.205.86 – – [26/Apr/2009:22:18:43 +0100] “GET //index.php?view=../../../../../../../../etc/passwd HTTP/1.0″ 301 – “-” “Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008070400 SUSE/3.0.1-0.1 Firefox/3.0.1″

(The PTR record for the IP being venus.marinet.gr.)

At first, I was quite ammused; I thought that it was a refreshing change to see someone throwing an attack with at least a mien of intent, albeit out-dated by about a decade and probably scripted.

Indeed, if I had been running a very poorly configurated httpd server it may have given the attacker the /etc/passwd file.  Notwithstanding that, even if the attack had suceeded in retrieving the /etc/passwd file, they would have recovered no password hashes as I run FreeBSD; they are looking in the wrong place.  They would also have to invert the ‘Blowfish’ password hashing scheme used in FreeBSD against a high entropy password.  Finally, there is that minor peccadillo of not having a login service available to try the password against.

Aside from those minor complications, I thought the furtive little attempt rather cheeky, and had a chuckle. On a closer inspection however, I found another entry in my httpd logs:

66.249.70.42 – – [27/Apr/2009:00:28:08 +0100] “GET /?view=../../../../../../../../etc/passwd HTTP/1.1″ 200 44729 “-” “Mediapartners-Google”

An IP which is apparently owned by none other than the mighty Google itself.  So, why in holy googlebot is Google trying to retrieve the /etc/passwd file? This I have taken with more than a small pinch of demur.

There are two possibilities:

i) Google is going on a hacking spree – an unlikely reason unless the development team are insufferably bored after all the excitement of taking over the world;

ii) there is some peculiar search engine magic brewing, perhaps there are a few malcontents out there submitting these URLs to Google to crawl.

In an attempt to discern the origin of this, I’d emailed Google’s security lot at the beginning of the week. In a blatent act of solecism, I have decided to post this now instead of waiting the mannerly week. In the mean time, if anybody has seen similar logs or knows what this is then please post a comment.

UPDATED 12th April 2010: Added [] extra meaning in title.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>