../../../etc/passwd Path Traversal (Log Examples + Fix Guide)
See exactly what a ../../../etc/passwd path traversal payload looks like in your access logs. Detect directory attacks instantly and block them.
Log Signature Detected: If you're seeing "192.168.1.50 - - [02/Apr/2026:18:22:10 +0000] "GET /download..." in your logs, your server may be under a Path Traversal attack.
Think you're under attack?
Paste a snippet of your server logs below for instant AI verification.
Accepts raw text. Max 500 lines per scan.
Real Log Example
192.168.1.50 - - [02/Apr/2026:18:22:10 +0000] "GET /download.php?file=../../../../etc/passwd HTTP/1.1" 200 2453 "-" "curl/7.68.0"
192.168.1.50 - - [02/Apr/2026:18:22:11 +0000] "GET /images/..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1" 404 153 "-" "curl/7.68.0"
192.168.1.50 - - [02/Apr/2026:18:22:12 +0000] "GET /api/read?path=..\..\..\windows\system32\drivers\etc\hosts HTTP/1.1" 400 23 "-" "python"Does your log look like this? Paste it into Helix Vanguard for instant AI analysis.
Analyze Your Logs FreeNo signup required. End-to-end encrypted.
What Is a Path Traversal?
Security analysts and DevOps teams monitoring infrastructure like Nginx, Apache HTTP Server, Node.js, AWS, and WordPress must be able to quickly identify and triage these malicious log patterns to prevent data breaches.
When you see the string '../../../etc/passwd' in your logs, an attacker is actively attempting a Path Traversal attack to escape the web root.
The '/etc/passwd' file is the universal holy grail for Linux-based path traversal testing. If an attacker can retrieve this file, they confirm the vulnerability exists. This is highly dangerous and requires a completely different defense than SQL injection Nginx log examples.
Attackers will often use URL encoding (like %2e%2e%2f for ../) or varying depths of directories (../../) to bypass basic WAF rules.
How to Detect ../../../etc/passwd Path Traversal (Log Examples + Fix Guide) in Logs
Depth Probing: You will often see the same IP address make several rapid requests, increasing the number of `../` sequences each time (e.g., `../etc/passwd`, then `../../etc/passwd`, then `../../../etc/passwd`) until they hit the root directory.
OS Variations: While `/etc/passwd` targets Linux, look for strings like `..\..\windows\win.ini` or `boot.ini` which target Windows IIS servers.
The 200 OK Danger: A 404 or 400 response means the attack failed. A 200 OK with a large byte size indicates the attacker successfully downloaded the sensitive file.
Path Traversal Attack Detection Checklist
| Pattern | Indicator | Severity |
|---|---|---|
| Increasing ../ depth from same IP | Root directory depth probing | Critical |
| ..\\..\\windows\\win.ini in request | Windows-targeted path traversal | Critical |
| 200 OK + large byte size on traversal | Sensitive file successfully stolen | Critical |
How to Defend Against This Threat
Never pass user-supplied input directly to filesystem APIs.
If you must use user input for file downloads, use a strict allowlist of permitted filenames.
Configure your web server to explicitly restrict file serving to the designated public directory.
Related Log Threats
Failed Password for Invalid User (SSH Log Example + Fix Guide)
See real SSH brute force payloads in your auth.log. Learn how to detect 'failed password' attacks instantly and block malicious IPs before breach.
Read guideSQL Injection in Nginx Logs (Detection Examples + Fix Guide)
See real SQL injection payloads (UNION SELECT, OR 1=1) in Nginx logs. Detect database attacks instantly and block malicious queries before data is exposed.
Read guideDirectory Traversal Attack Logs (/etc/passwd Examples + Fix)
See exactly how attackers use ../../../etc/passwd payloads in your web logs. Learn to detect directory climbing attacks instantly and secure your file paths.
Read guide