RFI Attacks

wordpress

#1

Hi,

My site was attacked yesterday using an RFI scheme. I was able to capture some important data about what the hacker was doing, including the script he was using. He was targeting payment scripts in my e-commerce application aMember, but fortunately I caught him in the act and removed the excess stuff he was trying to exploit.

I hold my own with the technical stuff, but it’s not my strength when it comes to server configuration and the security of PHP scripts. I was wondering if someone could give me some advice about how to configure my settings to ensure I’m not vulnerable to RFI attacks. I’m including the response from the hacker’s web host here. He gave me some good advice, but I don’t really understand how to do this myself. I run WordPress and aMember - aMember explicitly sets register_globals to OFF, but I think this guy might mean at the PHP level, not just the application (that’s using it) level.

Here’s the host’s response to my abuse ticket:

"Thank-you for reporting this abuser in such great detail. I was able to tarball and disable the account and picked apart the code to see what’s going on.

The most important thing you can do to help stop these RFI exploits is to adjust your php to Disable the Register_Globals and stop fopen and other functions that allows the abusers to load files from other servers. They’re using your php script to load the perl script into your servers /tmp folder under a file named sess_0bdd95ab768468a84acc22b7B0by1620 which then scans for other php files that can load more txt files on other servers. This then reports back and loads more txt files from our SiteSled server.

We tell everyone to lock down their own servers, update their scripts while we erase the abuser’s files. Today I plan on adjusting our mod_rewrite so that no one can hotlink txt files from our server anymore."


#2

Remote file inclusion attacks should be impossible on a default DreamHost setup, because the PHP allow_url_fopen directive is disabled in DreamHost’s default php.ini file. Further protection is afforded for those DreamHosters who have chosen to set their domains to run PHP5, because the default setup disables register_globals and register_long_arrays. Some customers have chosen to use custom php.ini files, or customized PHP installations, to re-enable some or all of these features (curse them for introducing vulnerabilities on the shared servers!) but default setups shouldn’t be explicitly vulnerable.

si-blog
Max discount on any plan with promocode SCJESSEYTOTAL


#3

So I ran phpinfo and I see that I’m on PHP 4.4.8. fopen is disabled, but register globals is on.

What exactly does register_globals do?

Should I disable that and if so, how? Via FTP, I don’t see that I have access to the php.ini file.


#4

If you follow the link in my post above (register_globals), it explains everything. Switch to using PHP5 for more security.

si-blog
Max discount on any plan with promocode SCJESSEYTOTAL


#5

Ah thanks, I didn’t realize those were actually links :slight_smile: