Slashdot Mirror

← Back to Stories (view on slashdot.org)

Anonymizing RFI Attacks Through Google

Posted by ryuzaki0 on from the anonymizing-isn't-in-my-spellchecker dept.

netbuzz writes "Noam Rathaus on his SecuriTeam blog describes a technique by which 'Google can be utilized to hack into websites — actively exploiting them (not information gathering by the use of "Google hacking," although that is how most of the sites vulnerable to RFI attacks are found).' He cites examples in the wild and even mentions that the technique could be used as a 'covert' communications channel."

9 of 66 comments (clear)

  1. Anonymous? by tttonyyy · · Score: 3, Informative

    Aside from triggering the attack, how does this make it anonymous?

    Surely the "http://URI-with-malicious-code.php" section will still create logs on the victim server pointing to the source of the malicious code (but perhaps not who triggered it).

    --
    biopowered.co.uk - catalytically cracking triglycerides for home automotive use since 2008. Just say no to big oil!
    1. Re:Anonymous? by Zedrick · · Score: 3, Informative

      Yes, but the URI-with-malicious-code is usually something like: http://www.geocities.com/xxxxxxx/xxx.txt

      At least that's what I usually see every time I check the logs of a website I'm going to shut down for allowing foreign includes (to be run).

  2. change behaviour for bots by cucucu · · Score: 4, Informative

    In your server, you can code the logic to take another action if the user agent is a bot.
    Here you have a db of web robots.

  3. How not Who by MartinJW · · Score: 5, Informative

    If your web application is vulnerable to attack then I would have thought it makes no difference where that attack comes from - be it a 'real' person or a search bot. You should spend more time worrying about whether your application is secure, the how is more important than the who.

  4. Re:RFI by Anonymous Coward · · Score: 2, Informative

    Nice explanation here.

  5. Remote File Inclusion by Bogtha · · Score: 4, Informative

    Remote File Inclusion. It's a pretty poor term for this type of attack, because it's not the act of inclusion that causes the problem, it's the act of requesting the file in the first place.

    --
    Bogtha Bogtha Bogtha
  6. RFI? How about defining this? by Ashtead · · Score: 5, Informative

    Radio Frequency Interference? Request for Information? Radio France Internationale? Rodent Fangs Implementation? WHAT?

    How about explaining what such an ambigious acronym actually means initially. As neither TFA nor the summary seems to have done so, I therefore will have do it here, just to make heads and tails of the rest of the discussion and perhaps illuminate someone else. Hit Google, slog through a pile of links indicating one of the above, or some company whose name includes the three letters. There are many of these. On Page 3 I found the Wikipedia page for this TLA, on which there is a dead link to what this must be: Remote File Inclusion.

    How about that.

    I was wondering if it was just me, that I had been off-line for too long (like 2 days) and missed out on the latest and greatest buzzword, again?

    --
    SIGBUS @ NO-07.308
    1. Re:RFI? How about defining this? by hey! · · Score: 3, Informative

      I'm guessing from the text of the article it is Remote File Inclusion.

      The description of the mechanism doesn't really makes sense. If you can exploit a victim site by feeding it an evil URL in a form parameter, why use Google at all? You've lost anonymity by including the URL.

      Looking at the described effects, it sounds like what they do is feed google some malicious code wrapped up in something that looks like a URL on the victim site. Then Google spiders the URL, placing malicious content in the form parameters.

      So, suppose you have a malicious SQL injection attack that causes your database dump the password table to a remote database. The trick is that you get Google to launch the attack for you. You have the malicious code obfuscate the destination, and it isn't clear skullduggery is going on by casual inspection of the logs. It won't show up in the database logs either because its not a transaction.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  7. Glasshouses... by ArsenneLupin · · Score: 2, Informative

    ... The Daily WTF runs on ASPX. These are bold people. Very bold people.