How do I find a script being used to as a "Remote File Inclusion" exploit on my server?

Posted on 2006-05-01
Last Modified: 2010-04-22
How do I find a script being used to as a "Remote File Inclusion" exploit on my server? Every few seconds the error log shows an entry like this.

  (try:13) => `/tmp/.girl'
Connecting to[]:80... --16:19:56--
  (try:14) => `/tmp/.girl2'
Connecting to[]:80... --16:20:04--
  (try:13) => `/tmp/.girl2'
Connecting to[]:80... failed: Connection timed out.

failed: Connection timed out.

Obviously my firewall is preventing it from completing its IRC planting mission - which is great - so nothing is actually getting dropped into my /tmp folder while the firewall is up and running but many bots out there are automatically trying my defenses all day and they are all using the same script on my server to access my server but I can't find a trace of what they are using to access it. Either the script is an innocent and exploitable script that belongs to a regular product like a forum or it was planted there by a malicious user.

I have successfully used netstat and grep to determine the IPs of many of the machines that are trying to get in and I have added those IPs to my iptables to stop them but new ones keep showing up so something exploitable is sitting on my server. I have a 1000 websites on this server so I can't just say - "oh its my forum script that needs upgrading" - I need to figure out how to search for a log record somewhere that would have the actual event and file location of the exploit.

I've asked a number of my super Linux tech friends and have come up empty handed so far.

Any ideas? I've been scratching my head for 4 days trying to come up with inventive ways to find the culprit.
Question by:gerrybakker
    LVL 15

    Expert Comment

    Well if you have the IPs to add to iptables as someone breaking in, why don't you grep all your 1000 apache log files  for these IP addresses and see what files they are accessing?

    Also, it's not clear WHAT error log shows this - is this your apache error log or something else?

    Author Comment

    m1tk4  thanks for the forehead slapping obvious answer - "check the 1000 apache logs". It was staring me in the face but I couldn't see the trees for the forest. It was just too obvious.

    After identifying the IP addresses I then did a grep for those IP addresses in the /var/log/httpd/domains folder to find the scripts that were being used.

    grep -n -r -I "" *

    The results showed extended character codes in the string to hide the real string. you would never know or find the text string "" in this result but it didn't matter because it was definitely the IP address that was running the wget session. Mystery solved.

    sample line found in the log with the correct IP address. - - [01/May/2006:08:57:24 -0700] "GET /phpBB2/viewtopic.php?p=194&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%252Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116)%252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119)%252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527 HTTP/1.0" 200 23026 "-" "Mozilla/4.0"

    Author Comment

    Apparently - in this case it was the viewtopic.php file in phpBB that was being exploited.
    LVL 15

    Expert Comment

    >>it was the viewtopic.php file in phpBB

    LVL 15

    Expert Comment

    And why would it be a refund? I certainly object.

    Accepted Solution

    PAQed with points refunded (500)

    Community Support Moderator

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
    BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now