A friend of mine showed me a nasty little "trick" over the weekend. He went
to a Web Search server (http://www.altavista.digital.com/) and did a search
on the following keywords -
root: 0:0 sync: bin: daemon:
You get the idea. He copied out several encrypted root passwords from
password files, launched CrackerJack and a 1/2 MB word file and had a root
password in under 30 minutes. All without accessing the site's server, just
the index on a web search server!
Well, the first thing I did was check my site and it's ok. The second thing
I did was check my ISP for my home account, and it's okay. But by trying
various combinations of common accounts on web searches, dozens of passwd
files were found.
It seems that a large number of locations who use httpd and ftpd on the same
server often copy the regular passwd file to ftp/etc or ftp-users/etc for
ftp user access. A few sites have left the root password in the file, and
many contain user accounts' passwords. The problems I see here are as follows:
1. You can get the passwd file in some cases by simply pointing your URL to
http://target.com/ftp/etc/passwd or http://target.com/ftp-users/etc/passwd.
Not good. Anon ftp can't get it but a web browser can. Many passwd files
are shadowed but you can see some legit account names. Yes, I realize that
this may be a dummy file but hey, not always the case.
2. Some sites do not have the passwd file world readable, but the entire
passwd file stills exists indexed on the web search server. I don't know
about you, but I don't think I'd want my passwd file indexed and searchable
on a world accessible web server. +