On 9 JAN, Bojan discussed reports of massive RFI scans. One of the repetitive artifacts consistent with almost all the reports we've received lately is that the attackers are attempting to include http://www.google.com/humans.txt. I investigated a hunch, and it turns out this incredibly annoying script kiddie behavior is seemingly, rather than bots, thanks to the unfortunate misuse of the beta release of Vega, the free and open source web application scanner from Subgraph. One of the numerous Vega modules is Remote File Include Checks found in C:\Program Files (x86)\Vega\scripts\scanner\modules\injection\remote-file-include.js. Of interest in remote-file-include.js:
var module = { Great, now the kiddies don't even need to figure out how to make RFI Scanner Bot or the VopCrew Multi Scanner work, it's been dumbed down all the way for them! What steps can you take to prevent and detect possible successful hits?
Now that we know it's less likely bot behavior and more likely annoying miscreants, take the opportunity to audit your Internet-facing presence particularly if you use a popular CMS/CMF. Cheers and feel free to comment or send additional log samples. |
Russ McRee 204 Posts ISC Handler Jan 17th 2014 |
Thread locked Subscribe |
Jan 17th 2014 8 years ago |
Maybe it would help if your 200 example wasn't an exact copy of the 404 example??
|
Anonymous |
Quote |
Jan 17th 2014 8 years ago |
Doh! Sure would help. Fixed, and thanks.
|
Russ McRee 204 Posts ISC Handler |
Quote |
Jan 17th 2014 8 years ago |
Sorry, if this is off topic, but on the My ISC page in the section "Current Ports of Interest" I get a php/mysql error message that has much more details than I would wish if this was my site -- especially as a security site.
Also: thanks for the quick fix. |
Russ McRee 2 Posts |
Quote |
Jan 17th 2014 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!