RFI stands for Remote File Inclusion. We’ve seen some captured demos here and there, but this one is one of the most impressive yet. The example shown in the post Bots Galore! is worth reading – in fact, studying! Look how it ends, with a simple GUI for controlling your site. Chances are, there’s eight or nine of these scripts floating around on underground file sharing networks right now.
Wikipedia gives an excellent description of the RFI attack. Briefly, you used PHP’s “include” function to include whatever file was specified after the ‘?’ prompt in the URL. Guess what? We’ll just include our own file from some other server there and look at your web page that way! No password cracking, no muss, no fuss, and not even any trace left.
Guard against this! Turn off “register_global” on your server if it isn’t off already, and just plain don’t allow URL-include in the first place. If you have several pages of code that have to link together, include the file specifically by name in the code itself.