这是恶意代码的证据吗？

Question

我正在使用 create-react-app 开发一个 React 应用程序，最近我在 VS Code 终端中看到了一些对我来说有点可疑的错误。看起来一个名为“express”的库正在尝试查找 win.ini 文件以及与 /etc/passwd 相关的内容。

为什么需要查看这些？

我在 NPM 上查找了“express”，它看起来像一个轻量级 Web 服务器。这就是 create-react-app 用作开发服务器的东西吗？

URIError: Failed to decode param '/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/windows/win.ini'
    at decodeURIComponent (<anonymous>)
    at decode_param (C:\path\to\my\project\node_modules\express\lib\router\layer.js:172:12)
    at Layer.match (C:\path\to\my\project\node_modules\express\lib\router\layer.js:123:27)
    at matchLayer (C:\path\to\my\project\node_modules\express\lib\router\index.js:574:18)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:220:15)
    at expressInit (C:\path\to\my\project\node_modules\express\lib\middleware\init.js:40:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:275:10)
    at query (C:\path\to\my\project\node_modules\express\lib\middleware\query.js:45:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
URIError: Failed to decode param '/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/winnt/win.ini'
    at decodeURIComponent (<anonymous>)
    at decode_param (C:\path\to\my\project\node_modules\express\lib\router\layer.js:172:12)
    at Layer.match (C:\path\to\my\project\node_modules\express\lib\router\layer.js:123:27)
    at matchLayer (C:\path\to\my\project\node_modules\express\lib\router\index.js:574:18)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:220:15)
    at expressInit (C:\path\to\my\project\node_modules\express\lib\middleware\init.js:40:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:275:10)
    at query (C:\path\to\my\project\node_modules\express\lib\middleware\query.js:45:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
URIError: Failed to decode param '/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/windows/win.ini'
    at decodeURIComponent (<anonymous>)
    at decode_param (C:\path\to\my\project\node_modules\express\lib\router\layer.js:172:12)
    at Layer.match (C:\path\to\my\project\node_modules\express\lib\router\layer.js:123:27)
    at matchLayer (C:\path\to\my\project\node_modules\express\lib\router\index.js:574:18)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:220:15)
    at expressInit (C:\path\to\my\project\node_modules\express\lib\middleware\init.js:40:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:275:10)
    at query (C:\path\to\my\project\node_modules\express\lib\middleware\query.js:45:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
URIError: Failed to decode param '/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/winnt/win.ini'
    at decodeURIComponent (<anonymous>)
    at decode_param (C:\path\to\my\project\node_modules\express\lib\router\layer.js:172:12)
    at Layer.match (C:\path\to\my\project\node_modules\express\lib\router\layer.js:123:27)
    at matchLayer (C:\path\to\my\project\node_modules\express\lib\router\index.js:574:18)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:220:15)
    at expressInit (C:\path\to\my\project\node_modules\express\lib\middleware\init.js:40:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:275:10)
    at query (C:\path\to\my\project\node_modules\express\lib\middleware\query.js:45:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
URIError: Failed to decode param '/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/%uff0e%uff0e/etc/passwd'
    at decodeURIComponent (<anonymous>)
    at decode_param (C:\path\to\my\project\node_modules\express\lib\router\layer.js:172:12)
    at Layer.match (C:\path\to\my\project\node_modules\express\lib\router\layer.js:123:27)
    at matchLayer (C:\path\to\my\project\node_modules\express\lib\router\index.js:574:18)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:220:15)
    at expressInit (C:\path\to\my\project\node_modules\express\lib\middleware\init.js:40:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)
    at next (C:\path\to\my\project\node_modules\express\lib\router\index.js:275:10)
    at query (C:\path\to\my\project\node_modules\express\lib\middleware\query.js:45:5)
    at Layer.handle [as handle_request] (C:\path\to\my\project\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (C:\path\to\my\project\node_modules\express\lib\router\index.js:317:13)
    at C:\path\to\my\project\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (C:\path\to\my\project\node_modules\express\lib\router\index.js:335:12)

Answer 1

win.ini 仅存储用于登录的用户设置，而 /etc/passwd 包含 UNIX 系统上的用户列表。这两个文件都不包含密码，甚至不包含密码哈希。

如果这是恶意的，我怀疑 express 被用于回传到攻击者服务器以向他们提供信息。

Answer 2

Express 是大多数 Web 服务器安装程序使用的流行程序。查看此错误，我认为您未保护目录，并且有人试图访问包含散列用户密码的文件。请检查并编辑目录访问路径以确保您的安全。

一些细节； /%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/windows/win.ini 是URL-ENCODED,
%2E 表示“.”,
%C0 表示“À”,
这意味着一些尝试到达名为“/À.À./À.À./À.À./À.À./windows/win.ini”的目录。