I posted details here along with a current list of PHP RFI drop hosts that are being used to compromise web servers with vulnerable code.
You can use the list along with grep/regex to scan your outbound web/firewall/proxy logs for web servers that are likely infected with bot code from the scanners using these sites.
The link to the list and such is here: http://hurl.ws/cf5s
This data was entirely generated using captured events from the last several weeks by the Honeypoint Internet Threat Monitoring Environment (#HITME). You can find more information about HoneyPoint here.
If you would like to learn more about PHP RFI attacks, please feel free to drop me a line, check out @lbhuston on Twitter and/or give my RFI presentation slides a look here. If you would like to schedule a presentation or webinar for your group on PHP RFI, HoneyPoint or PHP/web application security testing, please give us a call at 614-351-1237 x206.
As always, we appreciate your reading State of Security and we hope you make powerful use of the information here.