OSSEC gave me this warning (I've obfuscated the hostname and IP address):
Code:
Received From: (hostname) xxx.xxx.xx.xx->/var/log/apache2/access.log
Rule: 31106 fired (level 12) -> "A web attack returned code 200 (success)."
Portion of the log(s):
66.71.245.177 - - [05/Mar/2010:22:10:56 -0500] "GET /?C=../../../../../../../../../../../../../../../etc/passwd%00 HTTP/1.1" 200 738 "-" "-"
From what I can tell, this suggests that someone was able to wget the /etc/passwd file, but I'm not entirely sure if that's true or where to go from here. If anyone could offer any tips on what this means or how to go about investigating this issue further, I'd be really grateful.
The machine in question runs Ubuntu 8.04.
Bookmarks