The ongoing SQL injection attacks have understandably grabbed the lion's share of attention these days. But these aren't the only attacks plaguing website owners and their visitors. In addition to mass compromise of sites via stolen FTP credentials (the so-called 'long tail' attacks), a large number of smaller sites have been plagued by HTTP injection attacks leveraged through PHP's remote file inclusion capabilities.

In some instances, the HTTP injection exploit has been used to insert an IRC-controlled backdoor on the susceptible page. In other cases, the exploit allows attackers to engage in clickfraud by redirecting search engine requests to the page of their choice. The susceptible sites may become the unwitting hosts of phishing sites or malware, or links to the susceptible site may be used as a redirector to mask the true origin of attacker-owned sites.

The signs of compromise may vary. In initial stages of the attack, an md5 checksum (for example, a0b4df006e02184c60dbf503e71c87ad or c6db3524fe71d6c576098805a07e79e4) may be inserted in the site's htaccess file or on one of the susceptible pages. This alerts the bot controllers that the pages are vulnerable to attack, which then occurs at a later stage.

A compromised site may contain the file check.js which begins with javascript similar to the following:

(Math.random()*60 < JSS1) && document.referrer.match(/^http:\/\/([a-z0-9_\-]+\.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24)\./)

Other symptoms may include the addition of unexpected .php files which contain code similar to the following:

<?php error_reporting(1);global $HTTP_SERVER_VARS; function say($t) { echo "$t\n"; }; function testdata($t) { say(md5("testdata_$t")); }

To counter the attacks, ensure all PHP apps are updated to their most current versions and modify the php.ini (and Apache httpd.conf file if applicable) to set allow_url_fopen to off. (The default is on).