What is a directory traversal attack?

It is an attack where attackers use '../' sequences to access files outside the intended directory.

How do you detect directory traversal in logs?

Look for '../' or encoded patterns attempting to access sensitive files like /etc/passwd.

How to prevent directory traversal attacks?

Validate file paths, restrict access, and use secure frameworks that normalize paths.

Path Traversal

Directory Traversal Attack Logs (/etc/passwd Examples + Fix)

See exactly how attackers use ../../../etc/passwd payloads in your web logs. Learn to detect directory climbing attacks instantly and secure your file paths.

Log Signature Detected: If you're seeing "GET /../../../../etc/passwd HTTP/1.1" 400 162 "-" "-"..." in your logs, your server may be under a Path Traversal attack.

Real Log Example

access.log

GET /../../../../etc/passwd HTTP/1.1" 400 162 "-" "-"
GET /download?file=..%2f..%2f..%2fetc%2fshadow HTTP/1.1" 404 209 "-" "curl"
GET /images/../../../var/log/apache2/access.log HTTP/1.1" 200 4096 "-" "-"

Think your server is currently experiencing a Path Traversal?

Don't guess. Paste your actual server logs into our Neural Engine to instantly verify if this attack is active.

Scan My Logs Now

Analyzed in-memory. Zero data retention.

What Is a Path Traversal?

Security analysts and DevOps teams monitoring infrastructure like Nginx, Apache HTTP Server, Node.js, AWS, and WordPress must be able to quickly identify and triage these malicious log patterns to prevent data breaches.

Directory traversal attacks attempt to access files outside the intended web directory by using '../' sequences.

The /etc/passwd file is a common target because it contains user account information on Linux systems, which is often a precursor to an failed password for invalid user SSH logs once usernames are acquired.

If successful, attackers can access sensitive configuration files and escalate privileges.

How to Detect Directory Traversal Attack Logs (/etc/passwd Examples + Fix) in Logs

Patterns: The primary signature is the dot-dot-slash sequence (../) or its URL-encoded equivalent (%2e%2e%2f).

Target Files: Attackers typically hunt for /etc/passwd, /etc/shadow, /var/log/auth.log, or application configuration files like .env or wp-config.php.

Success Indicators: A 200 OK status code on a request containing traversal sequences is a critical alert, indicating the attacker likely downloaded the targeted file.

Path Traversal Attack Detection Checklist

Pattern	Indicator	Severity
../../../etc/passwd in request	Linux credential file access	Critical
%2e%2e%2f encoded sequences	WAF bypass path traversal	High
200 OK on traversal request	Successful file download - Loss of Data	Critical

How to Defend Against This Threat

Validate and sanitize all file path inputs.
Use a whitelist approach for file access.
Disable direct access to sensitive system files.

Related Log Threats

Directory Traversal

Directory Traversal in Apache Logs

Detect directory traversal attacks in Apache logs.

Read guide

Brute Force

Failed Password for Invalid User (SSH Log Example + Fix Guide)

See real SSH brute force payloads in your auth.log. Learn how to detect 'failed password' attacks instantly and block malicious IPs before breach.

Read guide

Brute Force Attack

Brute Force Attack in Apache Logs: Detection & Fix

Learn how to detect and mitigate brute force attacks targeting Apache environments effectively.

Read guide