Blog » Someone Tried to Steal Some Passwords

Someone Tried to Steal Some Passwords

The last few days a deluge of Perl based code-injection hacking attempts have been made on this website. Most of them are more of the same old attacks that I have documented previously. However, one particularly insistent user-agent made an attempt to get the password file on the server. Have a look at the following two log entries:

74.53.70.114 - - [22/Aug/2008:14:17:38 -0400] "GET //templater.php?config[template]=/../../../../../../../../etc/passwd HTTP/1.1" 404 8497 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20060918 Firefox/2.0"
74.53.70.114 - - [22/Aug/2008:14:17:38 -0400] "GET /website-hacking-attempts//templater.php?config[template]=/../../../../../../../../etc/passwd HTTP/1.1" 404 52182 "-" "Mozilla/4.0 (compatible; MSIE 6.0; MSN 2.5; Windows 98)"

Any experienced Linux user should recognize /etc/passwd as the file in which passwords are kept. Whilst passwords in this file are encrypted, it is still possible to extract them using various technoques, with weak passwords being easier to crack than strong ones. Thus, it would have been bad if the attacker had succeeded in obtaining the passwords file.

For those not familiar with using the console, "../" is a common method of accessing a parent directory to the one that you are currently in. For example, let us say that a website's files were stored in /webserver/site1. A script running in that directory could access /webserver either via "/webserver", or via "../". The advantage of this is that files can be accessed relative to the current position; as a result,  if the system administrator were to move the webserver directory to, say, /local/webserver, these file/directory accesses would still work.

What the exploit above is attempting to achieve, is to get the web-server to step back to the root directory (i.e., the "/../../../../../../../../"), and then access /etc/passwd. This is a known exploit for TinyCMS. The date on the page listing the exploit is 21 August; two days ago. A new version of TinyCMS was released the day after which hopefully patches this vulnerability.

Note that the access to passwd could still fail if file permissions are set properly, and/or the webserver prevents accessing files outside the webserver directory. Nevertheless, this is a serious vulnerability. TinyCMS users, I think that it is time for an update.



Blog » Someone Tried to Steal Some Passwords

Post your comment

Comments

  • OMG why are there people out there like that who only desire to cause problems for others. Jerks.

    RD
    http://useurl.us/126

    Posted by Jim Jones, 23/08/2008 10:52am (6 years ago)

RSS feed for comments on this page | RSS feed for all comments


Blog » Someone Tried to Steal Some Passwords