这是恶意代码的证据吗？

Question

我正在开发一个使用创建-反应-应用程序的React应用程序，最近我在VS代码终端上看到了一些错误，在我看来有些可疑。看起来，一个名为"express“的库试图找到一个win.ini文件，并与/etc/passwd有关。

它为什么要看这些？

我在NPM上查找了"express“，它看起来像一个轻量级的web服务器。这就是创建-反应-应用程序作为开发服务器所使用的吗？

URIError: Failed to decode param '/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/windows/win.ini'
    at decodeURIComponent (<anonymous>)
    at decode_param (C:\path\to\my\project\node_modules\express\lib\router\layer.js:172:12)
    at Layer.match (C:\path\to\my\project\node_modules\express\lib\router\layer.js:123:27)
    at matchLayer (C:\path\to\my\project\node_modules\express\lib\router\index.js:574:18)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:220:15)
    at expressInit (C:\path\to\my\project\node_modules\express\lib\middleware\init.js:40:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:275:10)
    at query (C:\path\to\my\project\node_modules\express\lib\middleware\query.js:45:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
URIError: Failed to decode param '/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/winnt/win.ini'
    at decodeURIComponent (<anonymous>)
    at decode_param (C:\path\to\my\project\node_modules\express\lib\router\layer.js:172:12)
    at Layer.match (C:\path\to\my\project\node_modules\express\lib\router\layer.js:123:27)
    at matchLayer (C:\path\to\my\project\node_modules\express\lib\router\index.js:574:18)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:220:15)
    at expressInit (C:\path\to\my\project\node_modules\express\lib\middleware\init.js:40:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:275:10)
    at query (C:\path\to\my\project\node_modules\express\lib\middleware\query.js:45:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
URIError: Failed to decode param '/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/windows/win.ini'
    at decodeURIComponent (<anonymous>)
    at decode_param (C:\path\to\my\project\node_modules\express\lib\router\layer.js:172:12)
    at Layer.match (C:\path\to\my\project\node_modules\express\lib\router\layer.js:123:27)
    at matchLayer (C:\path\to\my\project\node_modules\express\lib\router\index.js:574:18)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:220:15)
    at expressInit (C:\path\to\my\project\node_modules\express\lib\middleware\init.js:40:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:275:10)
    at query (C:\path\to\my\project\node_modules\express\lib\middleware\query.js:45:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
URIError: Failed to decode param '/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/winnt/win.ini'
    at decodeURIComponent (<anonymous>)
    at decode_param (C:\path\to\my\project\node_modules\express\lib\router\layer.js:172:12)
    at Layer.match (C:\path\to\my\project\node_modules\express\lib\router\layer.js:123:27)
    at matchLayer (C:\path\to\my\project\node_modules\express\lib\router\index.js:574:18)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:220:15)
    at expressInit (C:\path\to\my\project\node_modules\express\lib\middleware\init.js:40:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:275:10)
    at query (C:\path\to\my\project\node_modules\express\lib\middleware\query.js:45:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
URIError: Failed to decode param '/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/etc/passwd'
    at decodeURIComponent (<anonymous>)
    at decode_param (C:\path\to\my\project\node_modules\express\lib\router\layer.js:172:12)
    at Layer.match (C:\path\to\my\project\node_modules\express\lib\router\layer.js:123:27)
    at matchLayer (C:\path\to\my\project\node_modules\express\lib\router\index.js:574:18)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:220:15)
    at expressInit (C:\path\to\my\project\node_modules\express\lib\middleware\init.js:40:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:275:10)
    at query (C:\path\to\my\project\node_modules\express\lib\middleware\query.js:45:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)

Answer 1

win.ini只存储登录的用户设置，/etc/passwd包含了UNIX系统上的用户列表。两个文件都不包含密码，甚至不包含密码散列。

如果这是恶意的，我怀疑快递是用来回发到攻击者服务器，以提供他们的信息。

Answer 2

Express是大多数web服务器安装程序使用的一个流行程序。查看此错误，我认为您没有保护目录，有人试图访问包含散列用户密码的文件。为了安全起见，请检查和编辑目录访问路径。

一些细节；/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/windows/win.ini是URL编码的，

%2E是指"."，

%C0的意思是“C0”，

这意味着一些尝试访问名为"/À.À./À.À./À.À./À.À./windows/win.ini".的reach目录。