Remote file inclusion attacks

September 20, 2011 in Exploit This Blog

If you run a website, you have been attacked with remote file inclusion attacks. Zombies are constantly crawling the web launching remote file inclusion scripts scanning thousands of domains.

Most remote file inclusion (RFI) attacks are targeted for php. But dont get it twisted, SHTML and other “languages” that are spoken on the web are also vulnerable.

RFI’s work by exploiting applications that dynamically reference external scripts. For example, if you have an application that pulls input from an outside source an attacker could send false input to the application causing it to execute the attackers code. This “exploit” could result in things like data theft or even access to the server.

Most of the time the remote attack code is hosted on a compromised web server. A good way to secure your application is to validate the input that it receives. You can also block known vulnerability signatures, blacklist known malicious sources and domains that attack code is hosted on.

There are places on the web where you can find a list of known malicious IP addresses. It is also real easy to compile your own as you receive scans. I assure you that you will receive multiple scans from the same IP address.

Here are a few bots that has hit my site over the last few days.
(I added X’s to the url to prevent people from clicking the link)

What was targeted:REQUEST.abspath
Malicious Code URL:http://www.haircuttingfun.comXXXX/poll/lang/.etc/myid.jpg?
IP address:189.114.93.100

What was targeted:GET.abspath
Malicious Code URL:http://www.haircuttingfun.comXXXX/poll/lang/.etc/myid.jpg?
IP address:189.114.93.100

What was targeted:REQUEST.abspath
Malicious Code URL:http://www.haircuttingfun.comXXXX/poll/lang/.etc/myid.jpg?
IP address:202.29.86.7

What was targeted: GET.abspath
Malicious Code URL:http://www.haircuttingfun.comXXXX/poll/lang/.etc/myid.jpg?
IP address:202.29.86.7

What was targeted: REQUEST.lang
Malicious Code URL:http://www.diplomatic-bg.comXXXX/webalizer/web/.ccpower/byz9991.jpg??
IP address:118.129.167.26

What was targeted: GET.lang
Malicious Code URL:http://www.diplomatic-bg.comXXXX/webalizer/web/.ccpower/byz9991.jpg??
IP address:118.129.167.26

What was targeted: REQUEST.lang
Malicious Code URL:http://some.thesome.comXXXX/etc/byz9991.jpg??
IP address:112.78.8.18

What was targeted: GET.lang
Malicious Code URL:http://some.thesome.comXXXX/etc/byz9991.jpg??
IP address:112.78.8.18

What was targeted: REQUEST.lang
Malicious Code URL:http://www.diplomatic-bg.comXXXX/webalizer/web/.ccpower/byz9991.jpg??
IP address:188.165.198.194

What was targeted: GET.lang
Malicious Code URL:http://www.diplomatic-bg.comXXXX/webalizer/web/.ccpower/byz9991.jpg??
IP address:188.165.198.194

Comments Off

← RHBA-2011:1320-1: kernel bug fix update

URLCrazy Domain Name Hijacking tool →

Exploit This

Remote file inclusion attacks

The latest post in Tools

The latest post in White Papers

Recent Comments

Recent Posts

Categories