Results 1 to 16 of 16
  1. #1
    Join Date
    Dec 2004
    Location
    New Jersey
    Posts
    86

    Security issue. i cant figure out the exploit

    Guys.

    I have a small webhosting business with about 400 sites. Recently I have been having complaints about customer sites being redirected to porn sites. I had not been able to duplicate it for a while but now I have figured out the issue.

    It seems that when someone goes to google and clicks on a link that leads to one of my customer sites, the sites get redirected. Now if you go to the site directly to its url it works just fine and you wont get redirected.

    here is the way to duplicate it. Go to google and search for talegateproductions.com then click on the link to the site. Once you are at the site if you didnt get redirected you just need to hit refresh a few times and boom u will get redirected.
    This happens to all sites on my server. Regardless of content.

    The url its currently redirecting to is

    http://85.255.117.35/site.htm?lng=1&trg=ld

    My server is RH enterprise(i think) definetly a year old release of RH that is updated with cpanel and fantastico.

    Can anyone tell me how this redirect is happenning? I checked the code of the sites I tried and it is not modified.

    Essentialy its like maybe there is a random injection of a html page with a redirect to a URL.

    Marc
    Fast Affordable Web Hosting
    www.vizhost.com
    Contact on AIM: DIALSOFT

  2. #2
    perhaps the domain DNS has been poinsoned.

    http://www.dnsreport.com/tools/dnsre...roductions.com

    Your DNS server a Open DNS server which is vulnerable. You might want to tweak your named.conf to secure up the recursion to only allow IPs from your server

  3. #3
    I'm betting the code for the redirect is coming from a database for the user who owns that site.

  4. #4
    Join Date
    Dec 2004
    Location
    New Jersey
    Posts
    86

    dn poisoning?

    It happens to every site on my server. Not any one particular server. I dont think its database related.

    The dns issue sounds more probable. How can I evaluate this?
    Fast Affordable Web Hosting
    www.vizhost.com
    Contact on AIM: DIALSOFT

  5. #5
    Could it possibly be this: http://www.profitpapers.com/dev/302-redirect-hijack.php ?

    I get redirected from Google and Yahoo, but not from Dogpile.

  6. #6
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Could be related to the flame.so? popular attack a few months back
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  7. #7
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,979
    It's not DNS and it's not that google hijacking method. The web server for this domain is serving a redirect when provided with a HTTP request with a Referer header containing "http://www.google.com/search" and a User-Agent value.

    Code:
    telnet 67.15.2.29 80
    Trying 67.15.2.29...
    Connected to 67.15.2.29.
    Escape character is '^]'.
    GET / HTTP/1.1
    Host: www.talegateproductions.com
    Referer: http://www.google.com/search
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; iOpus-I-M; SV1; .NET CLR 1.1.4322)
    
    quit
    HTTP/1.1 302 Found
    Date: Wed, 05 Apr 2006 18:45:04 GMT
    Server: Apache/1.3.34 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_ssl/2.8.25 OpenSSL/0.9.7a PHP-CGI/0.1b
    Location: http://85.255.117.35/ind.htm?src=76
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=iso-8859-1
    
    12b
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <HTML><HEAD>
    <TITLE>302 Found</TITLE>
    </HEAD><BODY>
    <H1>Found</H1>
    The document has moved <A HREF="http://85.255.117.35/ind.htm?src=76">here</A>.<P>
    <HR>
    <ADDRESS>Apache/1.3.34 Server at www.talegateproductions.com Port 80</ADDRESS>
    </BODY></HTML>
    
    0
    It seems like possibly a rogue .htaccess file or your running CGI that redirects visitors from google, but it's only working intermittently.

    http://www.scriptygoddess.com/archiv...oogle-go-away/
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  8. #8
    Join Date
    Dec 2004
    Location
    New Jersey
    Posts
    86
    Hiya,

    Im still unable to find what is causing this. Its still happenning. Can anyone help on this further?

    Marc
    Fast Affordable Web Hosting
    www.vizhost.com
    Contact on AIM: DIALSOFT

  9. #9
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,979
    So you looked for a rogue .htaccess file and for a CGI that was redirecting visitors from google?
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  10. #10
    Join Date
    Dec 2004
    Location
    New Jersey
    Posts
    86
    I personally dont have the skills to search the 300-400 sites i have to find it. It happens across the entire machine and all its domains on the machine.

    Is this possible that are effected by one htaccess file?


    Ill relay this to my outsourced suport team who has been unable to find the exploit
    Fast Affordable Web Hosting
    www.vizhost.com
    Contact on AIM: DIALSOFT

  11. #11
    Join Date
    Feb 2006
    Posts
    1,107
    locate .htaccess

    are any of your clients running vulnerable scripts/etc?
    semi-retired

  12. #12
    Join Date
    Dec 2004
    Location
    New Jersey
    Posts
    86
    OK you are saying that 1 .htaccess file on a particular site can effect an entire server and all of its accounts/domains?
    Fast Affordable Web Hosting
    www.vizhost.com
    Contact on AIM: DIALSOFT

  13. #13
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    When you restart apache does it go away for a short time? i still think this is related to the flame.so style attack.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  14. #14
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,979
    You only recently said that it was for all sites on the server. It's likely a rogue httpd configuration file then. Basically, .htaccess lets you override the httpd configuration for a specific directory/site. If it's affecting all sites, it's likely your httpd configuration.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  15. #15
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  16. #16
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,979
    I hadn't read panelgeek's post before, because he's on my ignore list, but it seems like it could be the PHP dl() thing, especially because it was intermittent.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •