ID 120 SOC170
Passwd Found in Requested URL - Possible LFI Attack
LetsDefend alert triage practice
Alert Overview
Investigation
Initial Triage: Threat Intel
The request already looks shady, but let’s walk through it.
Source IP address 106.55.45[.]162 is flagged as malicious (reported 3459 times), in particilar SSH-Attack
Log Management
Logs show 1 inbound request from the flagged IP — allowed by the firewall — but the HTTP response is 500.
No outgoing traffic to the IP is recorded.
Endpoint Security
No endpoint events were triggered during the timeframe.
The targeted server (webserver1006) is running Windows Server 2019, so this request is pretty useless:
Windows uses backslashes (\) — not forward slashes.
It doesn’t have /etc/passwd — that’s a Linux thing.
The path traversal (../../../../) won’t resolve meaningfully on Windows unless something really insecure is going on.
Conclusion
The event is a true positive — the source is malicious, and the request is sketchy — but the attack failed.
Still worth blacklisting the IP and monitoring the server for similar attempts.
Playbook Execution
Is Traffic Malicious?
Yes
What Is The Attack Type?
LFI
Check If It Is a Planned Test
Not planned
What Is the Direction of Traffic?
internet -> company network
Was the Attack Successful?
no
need for Tier 2 escalation
no
Add Artifacts
Artefact
Description
Type
106.55.45[.]162
Malicious IP
IP
Verdict
True Positive
Analyst Summary Report
Summary of findings
An inbound HTTP request from a known malicious IP address (106.55.45[.]162) targeted a Windows Server 2019 instance (webserver1006) with a classic Local File Inclusion (LFI) payload attempting to access /etc/passwd. Although the attack technique is valid, the payload was ineffective due to OS mismatch (Linux-targeted path on a Windows system) and produced an HTTP 500 response.
No endpoint activity was recorded, and no signs of lateral movement or exploitation were observed. The event is categorized as a true positive, but the attack did not succeed.
Remediation recommendations
- Blacklist the IP address (106.55.45[.]162) at the perimeter firewall or intrusion prevention system.
- Monitor server logs for similar attack patterns targeting Windows or Linux path traversal vectors.
- Perform a web application hardening check — ensure the application isn’t processing user-supplied file paths insecurely.
- Consider adding WAF rules to block generic LFI patterns like ../../ or access to sensitive path keywords.
More Alerts!
- ID-045 | SOC114 – Malicious Attachment Detected | LetsDefend Walkthrough
- ID-085 | SOC109 – Emotet Malware Detected | LetsDefend Walkthrough
- ID-020 | SOC105 – Requested T.I. URL address | LetsDefend Walkthrough
- ID-036 | SOC104 – Malware Detected | LetsDefend Walkthrough
- ID-014 | SOC104 – Malware Detected | LetsDefend Walkthrough
SYN / ACK
Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.