Skip to content
Threat Feed
low advisory

Web Server Remote File Inclusion Activity Detected

This rule detects potential Remote File Inclusion (RFI) activity on web servers by identifying HTTP GET requests that attempt to access sensitive remote files through directory traversal techniques or known file paths to read sensitive files, gain system information, or further compromise the server.

This rule identifies potential Remote File Inclusion (RFI) attacks against web servers, specifically targeting Nginx, Apache, Apache Tomcat, IIS, and Traefik. The detection logic focuses on HTTP GET requests that receive a 200 OK response and include URL parameters that contain remote URLs or raw IP addresses. The rule is designed to detect attempts to exploit RFI vulnerabilities, where attackers try to force the application to fetch external content or reveal local files. The rule uses esql and url decoding to normalize the request before checking for suspicious URL schemes and IP addresses. The minimum stack version is 9.2.0 to support the esql url_decode() operator.

Attack Chain

  1. The attacker identifies a web server running a vulnerable application (e.g., PHP application on Apache).
  2. The attacker crafts a malicious HTTP GET request containing a URL parameter (e.g., page) designed to exploit an RFI vulnerability.
  3. The malicious GET request includes a remote URL (e.g., http://203.0.113.10/drop.txt) or an IP address within the vulnerable parameter.
  4. The web server processes the request and attempts to fetch the remote content specified in the URL.
  5. If successful (HTTP 200 OK), the remote content is included in the web server's response.
  6. The attacker leverages the inclusion of the remote file to execute arbitrary code or access sensitive information.
  7. The attacker uses the RFI to further compromise the web server, potentially installing a webshell or exfiltrating data.

Impact

A successful RFI attack can lead to the disclosure of sensitive information, arbitrary code execution, and complete compromise of the web server. This can result in data breaches, service disruption, and reputational damage. The elastic rule considers attacks against Nginx, Apache, Apache Tomcat, IIS, and Traefik web servers, impacting any organizations utilizing these platforms.

Recommendation

  • Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
  • Block the identified malicious IP 203.0.113.10 at the firewall or intrusion prevention system based on its context as an example RFI probe.
  • Investigate any alerts generated by these rules, focusing on the url.original field in the logs to understand the attempted RFI.

Detection coverage 2

Web Server Potential Remote File Inclusion Activity (GET with URL Parameter)

low

Detects HTTP GET requests with URL parameters containing remote URLs or IPs, indicative of RFI attempts.

sigma tactics: command_and_control, discovery techniques: T1083 sources: webserver, nginx|apache|apache_tomcat|iis|traefik

Web Server Potential Remote File Inclusion Activity (GET with IP in URL)

low

Detects HTTP GET requests with URL parameters containing raw IPs, indicative of RFI attempts.

sigma tactics: command_and_control, discovery techniques: T1083 sources: webserver, nginx|apache|apache_tomcat|iis|traefik

Detection queries are available on the platform. Get full rules →