DocumentRoot and Private Keys

In the last few days I’ve noticed a few unusual GET requests for supposedly exposed SSH private keys. All requests are following the same pattern: - - [05/May/2017] "GET /id_rsa HTTP/1.1" - - [05/May/2017] "GET /.ssh/id_rsa HTTP/1.1" - - [05/May/2017] "GET /id_rsa HTTP/1.1" - - [05/May/2017] "GET /.ssh/id_rsa HTTP/1.1"

Most (if not all) requests I’ve seen have originated from Tor exit nodes. Should there be an actual vulnerability related to these scans, then I really wonder what kind of build system would be responsible for exposing private keys in this way. Oh well, I guess there is a package manager for that.


Roger Comply avatar
Roger Comply
Thank you for reading!
Feel free to waste more time by subscribing to my RSS feed.