Home » In Other News

Remote File Include Attacks

Posted 8 Sep 2007 | Comments Off on Remote File Include Attacks | 1,254 views

Remote File Include (RFI) attacks appear to be on the rise for some of the sites that we manage. RFI attacks work by attempting to inject malicious code into the target site and having the output displayed inside the target page. This is usually done by passing the URL of the malicious code as a variable value to the target.  Frequently the source of the malicious code is a site that has been sucessfully attacked. For example:


The attacks varied in complexity, but all of them are scripted. The sequential HTTP requests are too closely timed to be manual attempts. Surprisingly, about 60% of the include attempts are recon attempts- simple scripts to gather information about the target site. We even encountered several version of the same PHP code which was rebranded by the attacker. The other popular remote include was r57shell. This tool gives interactive access to the attacker.

Some of the attackers were scanning for known exploits in vulnerable applications. These attackers made the same HTTP request with the malicious include across several virtual hosts, even thought the desired vulnerable application was not even installed. This type of attack was not very common. The more frequently used attack was to attempt to include the remote code by trying different variable names such as idpage, and template. A few attackers attempted to avoid detection by using different source IP addresses, but it was relatively easy to group them together because they attempted to include code from the same URL or they branded their include code.

The ideal defense against this attack is to write clean code that is not susceptible to an include attack. When dealing with variables, the data must be tested for bounds, type, and value. This takes time and attention to detail. Other server-side tools such as ModSecurity can be used to mitigate the chance of a successful attack.

Comments are closed.