Activity Processors: Error Processor: Incident - Unknown User Directory Requested

Complexity: Suspicious (1.0)

Default Response: 5x = User Directory Enumeration Incident

Cause: Many webservers allow the users on the system to maintain publicly accessible web directories. These directories are generally accessible from the root directory of the website followed by a tilde and the username. For example, if the webserver had a user named ‘george', that user could serve content from This incident is triggered when an attacker requests a user directory on the server that does not exist, and that user directory name is in a list of commonly used usernames (for example: where "root" is not a real user directory).

Behavior: Often times, administrators will upload sensitive content onto a webserver in an obscure location and not link to that content anywhere on the site. The assumption is that the content is private because no one will find it. However humans are somewhat predictable, so it's actually quite common for two administrators to pick the same "obscure" location to place sensitive content. As such, hackers have compiled a list of the most commonly chosen directory names where sensitive content is often stored, and they will basically test every name in the list to see if a site has a directory by that name. If it does, the attacker is able to locate and obtain that sensitive content. In this specific case, the attacker is testing for default user directories for users with predictable names (such as ‘root', ‘guest', ‘nobody', and so on...). An example of a tool that allows attackers to quickly identify hidden user directories is called "DirBuster" ( Category:OWASP_DirBuster_Project).