SOC170 – Passwd Found in Requested URL – Possible LFI Attempt
by
🧠 Summary
This investigation was triggered by a SOC170 – Passwd Found in Requested URL – Possible LFI Attack alert.
The alert detected a request attempting to access the sensitive Linux file /etc/passwd using directory traversal sequences (../../../../).
Further analysis confirmed this was a malicious Local File Inclusion (LFI) exploitation attempt, but there is no evidence of successful compromise.
🚨 Alert Overview
- Event ID: 120
- Rule: SOC170 – Passwd Found in Requested URL – Possible LFI Attack
- Severity: High
- Hostname: WebServer1006
- Destination IP: 172.16.17.13
- Source IP: 106.55.45.162
- HTTP Method: GET
- Device Action: Permitted
🔍 Requested URL
https://172.16.17.13/?file=../../../../etc/passwd
🔎 Initial Log Analysis
Raw Log Findings
- HTTP Response Status: 500
- HTTP Response Size: 0
- User-Agent: Mozilla/4.0 (MSIE 6.0; Windows NT 5.1)
Interpretation
- Status
500indicates Internal Server Error - Response size
0suggests no file content was returned - No
/etc/passwdcontent observed in logs - The server processed the request but failed internally
This strongly suggests the exploitation attempt was unsuccessful.
🛠 Attack Technique Breakdown
📁 What is Being Attempted?
The attacker used:
../../../../etc/passwd
This is a directory traversal payload.
🔁 How Directory Traversal Works
../→ Move up one directory../../../../→ Move up four directory levels/etc/passwd→ Sensitive Linux system file
If the web application includes files directly from user input (e.g., include($_GET['file']);), this can allow attackers to read local system files.
📌 Why /etc/passwd?
The /etc/passwd file contains:
- System usernames
- User IDs (UID)
- Home directories
- Default shells
While modern systems store password hashes in /etc/shadow, access to /etc/passwd confirms:
- LFI vulnerability exists
- File read access is possible
- Further exploitation may follow
🌍 Source IP Investigation
IP Address: 106.55.45.162
ASN: 45090
ISP: Tencent Cloud Computing
Country: China
Service Type: Data Center / Transit
VirusTotal Results
- 0 security vendors flagged the IP
- Community score negative due to historical SSH attacks (3 years ago)
- No recent malicious detections
Assessment
- Data center IPs are commonly used for automated scanning
- No active malware or campaign indicators found
- No additional suspicious activity from this IP observed
🖥 Endpoint & Network Investigation
The following checks were performed:
| Check | Result |
|---|---|
| Endpoint CLI activity | Clean |
| Network connections | Clean |
| Web server logs | Only single LFI attempt |
| Email logs | No phishing campaign |
| Lateral movement | None detected |
No indicators of compromise were identified.
🎯 Was the Attack Successful?
Based on:
- HTTP 500 response
- Zero response size
- No
/etc/passwdcontent in logs - No follow-up exploitation attempts
Conclusion:
❌ No successful file disclosure
❌ No system compromise
✔ Malicious exploitation attempt detected
📊 Attack Classification
| Category | Result |
|---|---|
| Attack Type | Local File Inclusion (LFI) Attempt |
| Directory Traversal Used | Yes |
| Sensitive File Targeted | /etc/passwd |
| Exploitation Successful | No |
| Host Compromised | No |
| Threat Actor Activity | Likely Automated Scanner |
| Alert Classification | True Positive (Unsuccessful Attempt) |
🛡 MITRE ATT&CK Mapping
- T1190 – Exploit Public-Facing Application
- T1006 – Path Traversal
🧠 Analyst Conclusion
This alert represents a malicious Local File Inclusion (LFI) exploitation attempt targeting the /etc/passwd file using directory traversal.
Although the web server permitted the request, the HTTP 500 response and zero response size indicate the attack was unsuccessful.
There is no evidence of:
- File disclosure
- Remote code execution
- Lateral movement
- Persistent access
The activity is consistent with automated internet-wide scanning for vulnerable web applications.
🛡 Recommendations
- Implement strict input validation (whitelisting file names)
- Avoid direct file inclusion using user input
- Deploy WAF rules to block:
..//etc/passwd- Path traversal patterns
- Perform application security testing for LFI vulnerabilities
- Monitor for repeated attempts from the same IP range
🏁 Final Verdict
This incident is classified as:
True Positive – Unsuccessful LFI Exploitation Attempt
No evidence of compromise was found. Continuous monitoring and web application hardening are recommended.
tags: