Catching PHP RFI Infected Hosts with Log Greps

I posted details here along with a current list of PHP RFI drop hosts that are being used to compromise web servers with vulnerable code.

You can use the list along with grep/regex to scan your outbound web/firewall/proxy logs for web servers that are likely infected with bot code from the scanners using these sites.

The link to the list and such is here:

This data was entirely generated using captured events from the last several weeks by the Honeypoint Internet Threat Monitoring Environment (#HITME). You can find more information about HoneyPoint here.

If you would like to learn more about PHP RFI attacks, please feel free to drop me a line, check out @lbhuston on Twitter and/or give my RFI presentation slides a look here. If you would like to schedule a presentation or webinar for your group on PHP RFI, HoneyPoint or PHP/web application security testing, please give us a call at 614-351-1237 x206.

As always, we appreciate your reading State of Security and we hope you make powerful use of the information here.

One thought on “Catching PHP RFI Infected Hosts with Log Greps

  1. Pingback: What the Heck Is FeeLCoMz? | | MSI :: State of SecurityMSI :: State of Security

Leave a Reply