In this entry, I’m going to demonstrate an example of an RFI attack which we were witness to all of its stages. We came across this incident during a CSRT routine monitoring and inspection of the world of underground IRC networks.

Hackers take advantage of IRC to operate servers devoted for scanning the Web for websites vulnerable to RFI or SQL Injection, and for trading credit card numbers and Paypal accounts. An RFI attack (Remote File Inclusion) is the act of intrusion to websites from a remote computer by running the hackers own PHP code on a vulnerable website.

In a certain IRC channel, a bot which began scanning for websites vulnerable to RFI attacks caught our attention. The bot then found a bunch of websites ripe for an RFI attack.

To lay their hands on one of these vulnerable websites, the hackers used a phpshell page that provides multiple functions under their control. The php shell provides functions such as browsing the files on the server hosting the website; other functions include: execute commands, file uploading to server, and other operations that facilitate the process of taking control over the target website.

We were not surprised to see the victim website already defaced a few minutes later. Two days later, the website owners stated that their site has been hacked in the following statement:

Currently, it seems to us that the owners of the above website have regained their website and fixed that RFI vulnerability which the hackers have exploited.