Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: What happened to RFI attacks? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What happened to RFI attacks?

Recently, I noticed a remarkable decrease in remote file inclusion attacks against my web servers. Usually, I easily detected 100+ attacks per day using a simple regular expression match. These days, I see maybe a dozen (and they are usually only 2-3 distinct "attacks" meaning different exploits or different attackers.

The number of vulnerabilities exploited also decreased a lot, with many of the older vulnerabilities being no longer probed. 

Have all vulnerable systems been exploited or cleaned up? These attacks where never very effective, and a lot of exploits used would not have been successful even against vulnerable systems. In addition, the attacks where usually launched blindly without recognizance, leading to a lot of hits to non existent pages.

For the few attacks still out there, the pattern doesn't have changed much. I checked out a couple of the payloads and they are either simple indicators or PHP IRC bots.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Brussels September 2019

Johannes

3603 Posts
ISC Handler
Have you noticed the lack of Wordpress spam. A lot of it came from Ubiquity Servers- a VPS provider with servers there was disconnected and all the spam dropped. As for the RFI attacks, what if the new attack is patching RFI vulnerabilities in a system to use it for something else than noisy scanning?
Anonymous
Also, most RFI attacks were "register_globals" specific, which is now deprecated.
http://php.net/manual/en/security.globals.php
Anonymous

Sign Up for Free or Log In to start participating in the conversation!