[kwlug-disc] Identify this exploit?

Sat Dec 28 14:40:57 EST 2019

On Sat, Dec 28, 2019 at 2:33 PM Paul Nijjar wrote:

> So it is a generic attack and not a particular CVE they are trying to
> exploit?

It depends on a vulnerable component, in this case download.php which
was badly written or a PHP installation that was configured incorrectly.

It is weird that they are choosing that particular number of
> traversals to get to /etc/passwd.
>

Probably guessing, based on common directory structures at hosting company,
and maybe they will try various variations.

I agree with Mikalai that the Internet is terrifying.
>

Absolutely terrifying! I have been saying this for several years. The
number of
automated scripts that exploit various vulnerabilities is immense.

Things I do to minimize the risks:

- Install the minimum components required for your application(s) to run,
and nothing more
- Check the logs daily (I use logwatch, emailing a daily report per host).
- Block IP addresses trying to login via SSH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20191228/f87087d0/attachment.htm>