RFI Attacks
Posted by: 11Mystics
Posted on: 2008-05-19 11:02:00
Hi,
My site was attacked yesterday using an RFI scheme. I was able to capture some important data about what the hacker was doing, including the script he was using. He was targeting payment scripts in my e-commerce application aMember, but fortunately I caught him in the act and removed the excess stuff he was trying to exploit.
I hold my own with the technical stuff, but it's not my strength when it comes to server configuration and the security of PHP scripts. I was wondering if someone could give me some advice about how to configure my settings to ensure I'm not vulnerable to RFI attacks. I'm including the response from the hacker's web host here. He gave me some good advice, but I don't really understand how to do this myself. I run WordPress and aMember - aMember explicitly sets register_globals to OFF, but I think this guy might mean at the PHP level, not just the application (that's using it) level.
Here's the host's response to my abuse ticket:
"Thank-you for reporting this abuser in such great detail. I was able to tarball and disable the account and picked apart the code to see what's going on.
The most important thing you can do to help stop these RFI exploits is to adjust your php to Disable the Register_Globals and stop fopen and other functions that allows the abusers to load files from other servers. They're using your php script to load the perl script into your servers /tmp folder under a file named sess_0bdd95ab768468a84acc22b7B0by1620 which then scans for other php files that can load more txt files on other servers. This then reports back and loads more txt files from our SiteSled server.
We tell everyone to lock down their own servers, update their scripts while we erase the abuser's files. Today I plan on adjusting our mod_rewrite so that no one can hotlink txt files from our server anymore."