RFI Report is a Drupal module which reports RFI (Remote File Inclusion) attempts over http, https and ftp. The RFI attempts are reported in table format, with full details on each attempt. The daily totals and top 10 attacking hosts are reported in a chart. In addition it is possible to deny site access to known RFI attacking hosts.
Download the module from Drupal.org: Remote File Inclusion Report Module
What is RFI?
Remote File Inclusion is a method to execute a PHP script (in most cases) from another server on your server. This is possible as the scripting language PHP uses the file include() function intensively in order to enhance functionality and readability of PHP scripts. This function reads the contents of the file from the path or URL provided and executes the code.
In most cases the use of the include() function is perfectly safe, however badly written PHP scripts could allow the inclusion of dangerous 'remote' PHP scripts which try to compromise your webserver. This could lead to retrieving passwords, hosting files, using your server for further RFI attacks, and so forth.
RFI attempts are usually carried out automatically by bots and try to attack known problematic PHP scripts, also called 'exploits'.
What does an RFI attack look like?
An RFI attempt looks like this:
and we can deduct the following information:
Blocking RFI attempts
To block RFI attempts, it is best to add a rule to the .htaccess file of your website or set the access rules in your Apache configuration. If this is not possible (for example on some shared hosting servers) RFI report can analyze the Drupal log created by the dblog (core) module and add the top RFI attacking hosts automatically to the site deny access list. This will not block the first attempt but will prevent any future attempts from the same attacking host.