Results 1 to 16 of 16
-
04-04-2006, 08:09 PM #1Junior Guru Wannabe
- Join Date
- Dec 2004
- Location
- New Jersey
- Posts
- 86
Security issue. i cant figure out the exploit
Guys.
I have a small webhosting business with about 400 sites. Recently I have been having complaints about customer sites being redirected to porn sites. I had not been able to duplicate it for a while but now I have figured out the issue.
It seems that when someone goes to google and clicks on a link that leads to one of my customer sites, the sites get redirected. Now if you go to the site directly to its url it works just fine and you wont get redirected.
here is the way to duplicate it. Go to google and search for talegateproductions.com then click on the link to the site. Once you are at the site if you didnt get redirected you just need to hit refresh a few times and boom u will get redirected.
This happens to all sites on my server. Regardless of content.
The url its currently redirecting to is
http://85.255.117.35/site.htm?lng=1&trg=ld
My server is RH enterprise(i think) definetly a year old release of RH that is updated with cpanel and fantastico.
Can anyone tell me how this redirect is happenning? I checked the code of the sites I tried and it is not modified.
Essentialy its like maybe there is a random injection of a html page with a redirect to a URL.
Marc
-
04-04-2006, 08:25 PM #2Aspiring Evangelist
- Join Date
- Mar 2006
- Posts
- 427
perhaps the domain DNS has been poinsoned.
http://www.dnsreport.com/tools/dnsre...roductions.com
Your DNS server a Open DNS server which is vulnerable. You might want to tweak your named.conf to secure up the recursion to only allow IPs from your server
-
04-04-2006, 08:28 PM #3Disabled
- Join Date
- Aug 2005
- Posts
- 443
I'm betting the code for the redirect is coming from a database for the user who owns that site.
-
04-04-2006, 08:30 PM #4Junior Guru Wannabe
- Join Date
- Dec 2004
- Location
- New Jersey
- Posts
- 86
dn poisoning?
It happens to every site on my server. Not any one particular server. I dont think its database related.
The dns issue sounds more probable. How can I evaluate this?
-
04-04-2006, 09:05 PM #5Disabled
- Join Date
- Aug 2005
- Posts
- 443
Could it possibly be this: http://www.profitpapers.com/dev/302-redirect-hijack.php ?
I get redirected from Google and Yahoo, but not from Dogpile.
-
04-04-2006, 09:12 PM #6Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Could be related to the flame.so? popular attack a few months back
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
04-05-2006, 03:12 PM #7Web Hosting Master
- Join Date
- Nov 2001
- Location
- Ann Arbor, MI
- Posts
- 2,979
It's not DNS and it's not that google hijacking method. The web server for this domain is serving a redirect when provided with a HTTP request with a Referer header containing "http://www.google.com/search" and a User-Agent value.
Code:telnet 67.15.2.29 80 Trying 67.15.2.29... Connected to 67.15.2.29. Escape character is '^]'. GET / HTTP/1.1 Host: www.talegateproductions.com Referer: http://www.google.com/search User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iOpus-I-M; SV1; .NET CLR 1.1.4322) quit HTTP/1.1 302 Found Date: Wed, 05 Apr 2006 18:45:04 GMT Server: Apache/1.3.34 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_ssl/2.8.25 OpenSSL/0.9.7a PHP-CGI/0.1b Location: http://85.255.117.35/ind.htm?src=76 Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 12b <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="http://85.255.117.35/ind.htm?src=76">here</A>.<P> <HR> <ADDRESS>Apache/1.3.34 Server at www.talegateproductions.com Port 80</ADDRESS> </BODY></HTML> 0
http://www.scriptygoddess.com/archiv...oogle-go-away/-Mark Adams
www.bitserve.com - Secure Michigan web hosting for your business.
Only host still offering a full money back uptime guarantee and prorated refunds.
Offering advanced server management and security incident response!
-
04-14-2006, 10:26 PM #8Junior Guru Wannabe
- Join Date
- Dec 2004
- Location
- New Jersey
- Posts
- 86
Hiya,
Im still unable to find what is causing this. Its still happenning. Can anyone help on this further?
Marc
-
04-14-2006, 10:38 PM #9Web Hosting Master
- Join Date
- Nov 2001
- Location
- Ann Arbor, MI
- Posts
- 2,979
So you looked for a rogue .htaccess file and for a CGI that was redirecting visitors from google?
-Mark Adams
www.bitserve.com - Secure Michigan web hosting for your business.
Only host still offering a full money back uptime guarantee and prorated refunds.
Offering advanced server management and security incident response!
-
04-14-2006, 10:51 PM #10Junior Guru Wannabe
- Join Date
- Dec 2004
- Location
- New Jersey
- Posts
- 86
I personally dont have the skills to search the 300-400 sites i have to find it. It happens across the entire machine and all its domains on the machine.
Is this possible that are effected by one htaccess file?
Ill relay this to my outsourced suport team who has been unable to find the exploit
-
04-14-2006, 10:57 PM #11the ground beneath my feet
- Join Date
- Feb 2006
- Posts
- 1,107
locate .htaccess
are any of your clients running vulnerable scripts/etc?semi-retired
-
04-15-2006, 09:28 AM #12Junior Guru Wannabe
- Join Date
- Dec 2004
- Location
- New Jersey
- Posts
- 86
OK you are saying that 1 .htaccess file on a particular site can effect an entire server and all of its accounts/domains?
-
04-15-2006, 11:55 AM #13Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
When you restart apache does it go away for a short time? i still think this is related to the flame.so style attack.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
04-16-2006, 12:20 PM #14Web Hosting Master
- Join Date
- Nov 2001
- Location
- Ann Arbor, MI
- Posts
- 2,979
You only recently said that it was for all sites on the server. It's likely a rogue httpd configuration file then. Basically, .htaccess lets you override the httpd configuration for a specific directory/site. If it's affecting all sites, it's likely your httpd configuration.
-Mark Adams
www.bitserve.com - Secure Michigan web hosting for your business.
Only host still offering a full money back uptime guarantee and prorated refunds.
Offering advanced server management and security incident response!
-
04-16-2006, 12:25 PM #15Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
http://www.webhostingtalk.com/showth...light=flame.so
please read.. flame.soSteven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
04-16-2006, 10:20 PM #16Web Hosting Master
- Join Date
- Nov 2001
- Location
- Ann Arbor, MI
- Posts
- 2,979
I hadn't read panelgeek's post before, because he's on my ignore list, but it seems like it could be the PHP dl() thing, especially because it was intermittent.
-Mark Adams
www.bitserve.com - Secure Michigan web hosting for your business.
Only host still offering a full money back uptime guarantee and prorated refunds.
Offering advanced server management and security incident response!