Fortinet 410 FortiWeb 5.0 Patch 6 Administration Guide
platform as your production web servers, but contain no valuable data, normally receive no
legitimate traffic, an be open to attacks in order to gather data on automated attacks for your
forensic analysis.
Let’s say your honeypot, like your production web servers, runs Joomla. In either your web
server’s logs, you see requests for URLs such as:
10.0.0.10
-
-
[16/Dec/2011:09:30:49 +0500]
"GET
/index.php?option=com_ckforms&controller=../../../../../../../../win
nt/system32/cmd.exe?/c+ver HTTP/1.1"
200
"-"
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0a2)
Gecko/20111101 Firefox/9.0a2)"
where the long string of repeated ../ characters indicates an attempt at directory traversal: to
go above the web server’s usual content directories.
If Joomla does not properly sanitize the input for the controller parameter (highlighted in
bold above), it would be able to use LFI. The attacker’s goal is to reach the cmd.exe file, the
Microsoft Windows command line, and enter the command ver, which displays the web
server’s specific OS version, such as:
Microsoft Windows [Version 6.1.7601]
Since the attacker successfully fingerprinted the specific version of Windows and Joomla, all
virtual hosts on that computer would be vulnerable also to any other attacks known to be
successful on that platform.
Luckily, this is happening on your honeypot, and not your company’s web servers.
To detect similar attacks, you could write your own attack signature to match and block that
and similar directory-traversing requests via controller, as well as to notify you when your
production web servers are being targeted by this type of attack:
If packet payload retention and logging were enabled, once this custom signature was applied,
you could analyze requests to locate targeted files. Armed with this knowledge, you could then
apply defenses such as tripwires, strict file permissions, uninstalling unnecessary programs,
and sandboxing in order to minimize the likelihood that this attacker would be able to succeed
and achieve her objectives.
Setting name Value
Direction Signature creation
Expression ^/index\.php\?option=com_ckforms\&controller=(\.\.\/)+?
Action Alert & Deny
Severity High
Trigger Action notification-servers1