- 131.108.45.81 - - [05/Dec/2014:23:57:14 -0500] "GET /scripts/auktion.cgi?menue=../../../../../../../../../etc/passwd HTTP/1.1" 302 268 "-" "Mozilla/4.0 (CriticalWatch-FusionVM)"
- What does this tell you?
- How can this be helpful to an investigation?
- IP Address – 192.168.10.1
- Date and Time offset - [03/Sep/2012:14:40:53 -0400]
- Method Invoked – GET
- URL Requested - /cgi-bin/edit.pl
- Protocol Used - HTTP/1.1
- Result Code – 404
- Numbers of Bytes Transferred - 305
Directory Traversal Attack
192.168.10.1 - - [03/Sep/2012:11:11:05 -0400] "GET /../../../tmp HTTP/1.0" 400 352
192.168.10.1 - - [03/Sep/2012:11:11:19 -0400] "GET /../../../
HTTP/1.0" 400 349
192.168.10.1 - - [03/Sep/2012:11:11:22 -0400] "GET /../../../usr HTTP/1.0" 400 352
192.168.10.1 - - [03/Sep/2012:11:11:26 -0400] "GET /../../../usr HTTP/1.0" 400 352
192.168.10.1 - - [03/Sep/2012:11:12:04 -0400] "GET /../../home HTTP/1.0" 400 350
192.168.10.1 - - [03/Sep/2012:11:12:10 -0400] "GET /../../cgi-bin HTTP/1.0" 400 353
Note (in blue): Attempts to access directories outside standard web environment
192.168.10.1 - - [03/Sep/2012:14:38:19 -0400] "GET /cgi-bin/publisher/search.cgi?dir=jobs&template=;cat+/etc/passwd|&output_number=10 HTTP/1.0" 200 306
192.168.10.1 - - [03/Sep/2012:14:40:20 -0400] "GET /login.asp?user=masmith&password=123 or 1=1 " 200 308
192.168.10.1 - - [03/Sep/2012:14:40:20 -0400] "GET products.asp?productid=123;DROP TABLE Products " 200 254