PHP RFI: Old Attack, Common #FAIL

I just completed the slides for my new presentation on application security. It is focused on understanding Remote File Include attacks against PHP implementations.

The preso covers what they are, how common they are, metrics, signatures, code examples and guidance for finding and mitigating them.

If there is interest, I will try and either record audio or video of the presentation and post that separately. If you would like to see/hear that in the near future, leave a comment below.

This research and the resulting project were made possible by two facets of MicroSolved, Inc. that we don’t talk a lot about, so here is some info on the power behind this project.

The first, is our application security assessments. We have really been focusing on these projects recently and my team has been working hard to complete assessments for clients, as well as a variety of open source/community tools. As a part of our deep lab capability here and our relationship with Syhunt, in Brazil, we have been working together to test and improve their Sandcat4PHP and Sandcat Pro products (which we distribute/resell for them in the US). Essentially, this gives us a very deep capability to “grey box” test PHP applications. For those unfamiliar with grey box testing, that means that the tools and engineers have both access to the source code (white box) and a useable testing version implementation (black box). Combined, this testing methodology creates a very robust, accurate and thorough capability to exercise and examine an application. Manual and automated assessments intertwine to achieve maximum width and depth of assessment.

The second facet that powered this project was the HoneyPoint Internet Threat Monitoring Environment (HITME). This is a rapidly-growing network* of HoneyPoint deployments donated to MSI for the purpose of gathering attack data. The HoneyPoint agents are deployed in a variety of international locations to give us a real-time, global view of attacker sources, frequency and tactics for our research projects. The HITME is a unique capability to MSI and brings us data that most other security organizations can only dream of. In turn, we take the gathered knowledge and give it back to the security community in presentations and projects like this and the @honeypoint/#HITME feeds on Twitter and use it to protect our clients against an ever-growing arsenal of threats.

Combined, these capabilities have helped us identify hundreds of new PHP RFI attack signatures (which we plan to release shortly), find privately released PERL and PHP attack code/bot-net infectors (shared with the AV & IDS/IPS vendors) and build this presentation for the security community.

It also opened our eyes to just how popular PHP has become and how large the footprint is in corporate organizations and businesses around the world. In a recent survey, about 50% of the polled population stated that they did not have PHP in their enterprise, but did indicate that they use some combination of WordPress, Drupal, Joomla, Moodle, etc. All of these technologies are written in and utilize PHP! To the MSI team, this represents another area where the underlying technology is not understood in our corporate networks. This is another “unknown” for the attacker to leverage.

I hope you enjoy the presentation slides and I look forward to presenting this in public. If you would like to discuss more about our application security capabilities or the HITME, please let me know.

* Organizations and individuals can donate the operation of an Internet facing HoneyPoint Agent to MSI. Depending on the situation, they may receive a free license for HoneyPoint or the HoneyPoint Managed Service for their organization or home network. If you think you might be interested, please let me know and we can discuss how we might be able to work together.
This entry was posted in General InfoSec by Brent Huston. Bookmark the permalink.

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

One thought on “PHP RFI: Old Attack, Common #FAIL

  1. Pingback: MSI :: State of Security » Catching PHP RFI Infected Hosts with Log Greps

Leave a Reply