<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Internet Information Services - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/internet-information-services/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 18:22:34 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/internet-information-services/feed.xml" rel="self" type="application/rss+xml"/><item><title>Web Server Potential Remote File Inclusion Activity</title><link>https://feed.craftedsignal.io/briefs/2024-01-rfi-discovery/</link><pubDate>Tue, 09 Jan 2024 18:22:34 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-rfi-discovery/</guid><description>This rule detects potential Remote File Inclusion (RFI) activity on web servers by identifying HTTP GET requests that attempt to access sensitive remote files through directory traversal techniques or known file paths, potentially leading to information disclosure or further compromise.</description><content:encoded><![CDATA[<p>This detection rule identifies potential Remote File Inclusion (RFI) attacks targeting web servers. RFI vulnerabilities allow attackers to inject malicious code by including remote files into the web server's application. The rule focuses on detecting HTTP GET requests with a 200 OK status code that contain suspicious URL parameters. These parameters attempt to access sensitive remote files using directory traversal techniques or directly specifying known file paths. This activity can lead to unauthorized access to sensitive information, system information disclosure, or further server compromise. The rule covers web servers like Nginx, Apache, Apache Tomcat, IIS, and Traefik. This activity is important for defenders to detect, as it can lead to significant data breaches and system compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a vulnerable web server endpoint that is susceptible to RFI.</li>
<li>The attacker crafts a malicious HTTP GET request. This request includes a URL parameter (e.g., <code>page=</code>, <code>url=</code>, <code>src=</code>) with a URL pointing to a remote file or IP address controlled by the attacker. The URL can also leverage wrappers like <code>php://</code>, <code>data://</code>, or <code>file://</code>.</li>
<li>The victim web server receives the malicious GET request.</li>
<li>The web server processes the request and attempts to include the remote file specified in the URL parameter.</li>
<li>If the web server is vulnerable, it successfully fetches the content from the attacker-controlled remote server.</li>
<li>The attacker's malicious code or script within the included file is executed within the context of the web server.</li>
<li>The attacker gains unauthorized access to the web server's file system, configuration files, or sensitive data.</li>
<li>The attacker can then escalate privileges, install malware, or exfiltrate sensitive data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful RFI attacks can lead to severe consequences, including unauthorized access to sensitive data, system compromise, and potential data breaches. Attackers can leverage RFI to read configuration files, gain access to credentials, and execute arbitrary code on the web server. This could result in the loss of confidential information, disruption of services, or the complete takeover of the affected system. The impact of a successful RFI attack can range from information disclosure to full system compromise, depending on the severity of the vulnerability and the attacker's objectives.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Web Server Potential Remote File Inclusion Activity&quot; to your SIEM to detect suspicious GET requests containing remote URLs (see rules section).</li>
<li>Inspect web server logs (Nginx, Apache, Apache Tomcat, IIS, and Traefik) for GET requests with status code 200 containing parameters with encoded URLs or raw IPs.</li>
<li>Implement and tune WAF rules to block suspicious include parameters (e.g., <code>page=</code>, <code>url=</code>, or <code>src=</code>) containing <code>http://</code>, <code>https://</code>, <code>ftp://</code>, <code>smb://</code>, or <code>file://</code>.</li>
<li>Restrict outbound connections from web servers to known, trusted domains to prevent exploitation of RFI vulnerabilities.</li>
<li>Set PHP <code>allow_url_include=Off</code> and <code>allow_url_fopen=Off</code> in PHP configuration files to mitigate RFI vulnerabilities.</li>
<li>Apply <code>open_basedir</code> restrictions in PHP to limit the files that PHP scripts can access.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>rfi</category><category>webserver</category><category>vulnerability</category></item><item><title>Web Server Remote File Inclusion Activity Detected</title><link>https://feed.craftedsignal.io/briefs/2024-01-web-server-rfi/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-web-server-rfi/</guid><description>This rule detects potential Remote File Inclusion (RFI) activity on web servers by identifying HTTP GET requests that attempt to access sensitive remote files through directory traversal techniques or known file paths to read sensitive files, gain system information, or further compromise the server.</description><content:encoded><![CDATA[<p>This rule identifies potential Remote File Inclusion (RFI) attacks against web servers, specifically targeting Nginx, Apache, Apache Tomcat, IIS, and Traefik. The detection logic focuses on HTTP GET requests that receive a 200 OK response and include URL parameters that contain remote URLs or raw IP addresses. The rule is designed to detect attempts to exploit RFI vulnerabilities, where attackers try to force the application to fetch external content or reveal local files. The rule uses esql and url decoding to normalize the request before checking for suspicious URL schemes and IP addresses. The minimum stack version is 9.2.0 to support the esql url_decode() operator.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a web server running a vulnerable application (e.g., PHP application on Apache).</li>
<li>The attacker crafts a malicious HTTP GET request containing a URL parameter (e.g., <code>page</code>) designed to exploit an RFI vulnerability.</li>
<li>The malicious GET request includes a remote URL (e.g., <code>http://203.0.113.10/drop.txt</code>) or an IP address within the vulnerable parameter.</li>
<li>The web server processes the request and attempts to fetch the remote content specified in the URL.</li>
<li>If successful (HTTP 200 OK), the remote content is included in the web server's response.</li>
<li>The attacker leverages the inclusion of the remote file to execute arbitrary code or access sensitive information.</li>
<li>The attacker uses the RFI to further compromise the web server, potentially installing a webshell or exfiltrating data.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful RFI attack can lead to the disclosure of sensitive information, arbitrary code execution, and complete compromise of the web server. This can result in data breaches, service disruption, and reputational damage. The elastic rule considers attacks against Nginx, Apache, Apache Tomcat, IIS, and Traefik web servers, impacting any organizations utilizing these platforms.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment.</li>
<li>Block the identified malicious IP <code>203.0.113.10</code> at the firewall or intrusion prevention system based on its context as an example RFI probe.</li>
<li>Investigate any alerts generated by these rules, focusing on the <code>url.original</code> field in the logs to understand the attempted RFI.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>remote-file-inclusion</category><category>web-server</category><category>discovery</category></item><item><title>Web Server Discovery or Fuzzing Activity Detected</title><link>https://feed.craftedsignal.io/briefs/2024-01-web-server-fuzzing/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-web-server-fuzzing/</guid><description>Detection of web server discovery or fuzzing activity indicated by a high volume of HTTP GET requests resulting in 404 or 403 status codes originating from a single source IP address within a short timeframe, suggesting attempts to discover hidden resources.</description><content:encoded><![CDATA[<p>This rule detects potential reconnaissance activity against web servers, specifically web server discovery or fuzzing. The activity is characterized by a single source IP address generating a high volume of HTTP GET requests that result in 404 (Not Found) or 403 (Forbidden) status codes within a short time period. The logic is based on analysis of web server logs from Nginx, Apache, Apache Tomcat, IIS, and Traefik. Such patterns typically indicate an attacker is trying to discover hidden or unlinked resources, potentially identifying vulnerabilities or sensitive information disclosure points on the web server. This discovery phase can often precede more targeted attacks. The detection logic triggers when more than 500 events from a single source IP are observed, involving more than 250 distinct URL requests.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker initiates a connection to the target web server using an automated tool.</li>
<li>The attacker sends a large number of HTTP GET requests to the web server, probing various URLs and paths.</li>
<li>The web server responds to the requests, often returning 404 (Not Found) or 403 (Forbidden) status codes for non-existent or restricted resources.</li>
<li>The attacker analyzes the HTTP response codes to identify potentially accessible or vulnerable resources.</li>
<li>If accessible resources are found (e.g., administrative interfaces, backup files), the attacker attempts to access them.</li>
<li>The attacker may attempt further exploitation based on discovered vulnerabilities or accessible resources.</li>
<li>The attacker gains unauthorized access to the web server or sensitive data.</li>
<li>The attacker performs malicious activities such as data theft, defacement, or system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful web server discovery and fuzzing can lead to the identification of sensitive files (e.g., configuration files, backups), vulnerable endpoints (e.g., administrative interfaces), and insecure configurations. An attacker can leverage this information to gain unauthorized access, leading to data breaches, system compromise, or service disruption. The severity of the impact depends on the nature of the exposed resources and the attacker's capabilities.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Web Server Fuzzing Detection</code> to your SIEM and tune the threshold based on your environment's baseline traffic to reduce false positives.</li>
<li>Review web server logs for patterns matching the description in the <code>Overview</code> to identify potential attackers.</li>
<li>Implement rate limiting on your web servers and WAF to mitigate the impact of web server discovery and fuzzing attempts, based on the analysis of <code>http.request.method</code> and <code>http.response.status_code</code>.</li>
<li>Ensure that sensitive files and directories are properly secured and not publicly accessible, reviewing access control configurations on the web server.</li>
<li>Monitor web server logs for requests to common sensitive paths (e.g., /.env, /.git, /admin), using a rule targeting the <code>url.original</code> field, to detect unauthorized access attempts.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>web-server</category><category>fuzzing</category><category>reconnaissance</category><category>web-application</category></item><item><title>Web Server Discovery or Fuzzing Activity</title><link>https://feed.craftedsignal.io/briefs/2024-01-web-server-recon/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-web-server-recon/</guid><description>Detection of potential web server discovery or fuzzing activity characterized by a high volume of HTTP GET requests resulting in 404 or 403 status codes originating from a single source IP address within a short timeframe, indicating attackers are probing for hidden resources.</description><content:encoded><![CDATA[<p>This detection identifies web server reconnaissance and fuzzing attempts. The rule is triggered when a single source IP address generates a high volume of HTTP GET requests that result in 404 (Not Found) or 403 (Forbidden) status codes within a short period. This behavior suggests an attacker is trying to discover hidden or unlinked resources on a web server, a common initial step before more targeted attacks. This is achieved by counting events and distinct URLs accessed from logs across Nginx, Apache, Apache Tomcat, IIS, and Traefik web servers. The rule triggers if more than 500 events and 250 distinct URLs are observed from a single IP address within the monitored timeframe.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker initiates network connections to a target web server (Nginx, Apache, etc.).</li>
<li>The attacker sends a series of HTTP GET requests to various URLs, often using a wordlist.</li>
<li>The web server processes each request and returns HTTP status codes.</li>
<li>The attacker analyzes the HTTP status codes to identify existing resources.</li>
<li>A large number of 404 (Not Found) or 403 (Forbidden) responses indicate a fuzzing attempt.</li>
<li>The attacker identifies potentially vulnerable or misconfigured resources.</li>
<li>The attacker may attempt to exploit discovered vulnerabilities.</li>
<li>Successful exploitation could lead to information disclosure or unauthorized access.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful web server discovery enables attackers to map out a web application's structure and identify potential vulnerabilities or misconfigurations. This reconnaissance can precede more severe attacks, such as unauthorized access to sensitive data, code execution, or denial-of-service attacks. While this rule has low severity, successful reconnaissance can lead to high impact outcomes.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>High Volume of 404/403 GET Requests</code> to your SIEM and tune the threshold (events &gt; 500 and URLs &gt; 250) for your environment.</li>
<li>Investigate any alerts generated by the Sigma rule to identify the source IP address and the target web server, then check the associated logs.</li>
<li>Review WAF/CDN logs for rate limiting and blocks related to the suspicious source IP, as recommended in the overview.</li>
<li>Implement rate limiting on web servers to mitigate the impact of web server discovery and fuzzing attempts, as mentioned in the overview.</li>
<li>Harden the web tier by disabling directory listing and default app endpoints, blocking patterns like /.git/, /.env, and /backup.zip at the WAF, and restricting origin access to CDN egress only, as mentioned in the overview.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>reconnaissance</category><category>web-server</category><category>fuzzing</category></item></channel></rss>