[Snort-sigs] SID 1122

Warchild warchild at ...288...
Tue Mar 12 19:29:02 EST 2002

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC
/etc/passwd";flags: A+; content:"/etc/passwd"; nocase;
classtype:attempted-recon; sid:1122; rev:1;) 


Part of the communication between a remote machine and your webserver
contained the string /etc/passwd.

This generally indicates an attempt to get the contents of the
/etc/passwd file on a *NIX system.  If successful, valuable
information regarding user credentials may be disclosed.  In a more
extreme case (where shadowed passwds are not in use), it may be
possible for an attacker to get the encrypted passwd fields and
potentially gain access to the system. 

Detailed Information:
The /etc/passwd file contains information regarding login credentials
for users of a *NIX system.  Snort detected the string '/etc/passwd'
as part of the communication from a remote machine to your webserver.
This could indicate an attempt exploit vulerable web applications or
weak cgi scripts.  Successful capture of this file could lead to
valuable information disclosure about your system and give an attacker
a number of new avenues to attack your system from.

Attack Scenarios:
As part of either an information gathering mission or a flat-out
attack against your webserver, an attacker may attempt to gain access
to your passwd file.  This can be done any number of ways, most
commonly by exploiting poorly written web applications or cgi scripts.
Alternatively, an attacker may attack the webserver itself and attempt
to exploit flaws in its design -- this may include directory
traversals, unicoding, and others.

Ease of Attack:
Medium.  Many tools that are readily available carry an arsenal of
common ways of getting at /etc/passwd.  Some of the most common tools
include whisker (rfp), retina (eeye), nessus, and good old lynx.

False Positives:
Few, if any.  This particular string is rarely seen as part of a
request to a webserver, and if it is, the majority of the time it is
malicious in nature.  A few know exceptions include 'man-cgi' by
Panagiotis J. Christias and other web frontends to man pages -- it is
not uncommon for people to request help for /etc/passwd.

False Negatives:

Corrective Action:
Examine both the full-snort alert and your webserver logs for this
particular host.  Determine if the /etc/passwd string was part of a
malicious request against your webserver.  Pay particular attention to
requests that access directories that have exec-cgi (apache)
permissions and the scripts contained therein.  If retrieval of the
password is possible and was succesful, determine what information the
attacker may have gleaned.  Are you using shadowed password files?  If
the retrieval was successful, watch for failed login attempts against
the login names contained in your passwd file.

Warchild <warchild at ...288...>

Additional References:

More information about the Snort-sigs mailing list