2003801 : passwd file accessed
- Event Description
- Products that have this security check
- Affected platforms
- How to remove this vulnerability
- Information about this document
The /etc/passwd file on Unix systems contains password information. An attacker who has accessed the etc/passwd file may attempt a brute force attack of all passwords on the system.
An attacker may attempt to gain access to the etc/passwd file through HTTP, FTP, or SMB. Typically this is done through one of the CGI scripts installed on the server, so this event may be seen in conjunction with other events of that type.
- BlackICE Agent for Server
- BlackICE PC Protection
- BlackICE Server Protection
- IBM Security Host Protection for Desktops
- IBM Security Host Protection for Servers (Unix)
- IBM Security Host Protection for Servers (Windows)
- IBM Security Network Protection
- Proventia Network IDS
- Proventia Network IPS
- Proventia Network MFS
- Proventia Server IPS for Linux technology
- RealSecure Desktop
- RealSecure Desktop Protector
- RealSecure Desktop Protector 3.6
- RealSecure Guard
- RealSecure Network
- RealSecure Sentry
- RealSecure Server Sensor
- Virtual Server Protection for Vmware
This event triggers when an HTTP GET request contains '*/etc/passwd' or '*/etc/shadow' or '*/etc/master.passwd' or '*/etc/security/passwd' and '*/etc/security/shadow'.
|False Positive:||This event triggers on what appears to be a request for the password or shadow file, which may or may not be successful. A false positive is not indicated when the request is unsuccessful.|
- Compaq Tru64Data General DG/UXDigital OSF/1HP HP-UXIBM AIXLinux KernelSCO SCO UnixSGI IRIXSun SolarisWind River BSDOS
Examine the URL accessed and evaluate if the access attempt could have been successful. If so, consider the system compromised and all passwords exposed. Although this event is not the result of a specific vulnerability, you should take steps to ensure that HTTP, FTP, and SMB file shares do not contain vulnerabilities that could allow remote access to the /etc/passwd file.
The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than Internet Security Systems. Use of this information constitutes acceptance for use in an "AS IS" condition, without warranties of any kind, and any use of this information is at the user's own risk. Internet Security Systems disclaims all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Internet Security Systems be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if Internet Security Systems has been advised of the possibility of such damages.
Copyright © 1997 – 2014 IBM Internet Security Systems. All rights reserved.
This page was created on Wed Jul 16 00:50:14 2014