1

Possible Duplicate:
My server's been hacked EMERGENCY

I have an Expression Engine website I try to clean up. The database has been given many new users so it seems the database has been hacked / links added. One major issue is that the site when clicked in Google is being bypassed. All visitors are being redirected to another website. Here is the search : http://tinyurl.com/72nzutj . First site is the one in question.. The site they are redirected to is http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 I have been trying to find this redirect in all files and the database, but I have had no luck. It is not a .htaccess redirect, that I have checked and confirmed. But I have not been able to locate a JScript or PHP redirect in the files nor database as of yet.. Probably well hidden because of a base64 or packed encryption. Ideas?

NB no clean database version available

Community
  • 1
rhand
  • 264
  • 2
  • 5
  • 22
  • 1
    General advice here is to disable your site and recover it from known good backups as no matter what you do now, you cannot guarantee that there isn't another back door. You might also consider contacting the site designer, they may have a backup of the site from when they handed it over. – user9517 Nov 20 '11 at 10:34
  • Thanks Iain. No good backups available so I want to try to clean up before I just start from scratch with a clean EE and build up the database from scratch. I also want to learn what happened here. – rhand Nov 20 '11 at 10:36
  • 1
    "cleaning up" is a really bad idea unless you are 100% sure of the full extent of the hack, know precisely what was changed, and are 100% sure you can role back those changes and guarantee data integrity. – Rob Moir Nov 20 '11 at 12:19
  • On the other hand, trying to learn exactly what happened and how he got in is a very good idea. Otherwise the same thing will just happen again. – Ladadadada Nov 20 '11 at 12:40

2 Answers2

1

Trying the link a couple of times shows that the Google result goes to the "wrong" site, but going direct to the URL (www.newwineireland.org) doesn't result in a redirection.

Perhaps you have a google search poisoning rather than a site problem?

Jon Rhoades
  • 4,989
  • 3
  • 30
  • 47
  • How would people poison Google ranking? By having the redirect for a long time perhaps? That would explain why Google is still redirected. But the same is still happening for MSN and Yahoo as well.. – rhand Nov 23 '11 at 02:56
1

It only redirects people with a referrer from Google (possibly also other search engines.) If I take off the referrer part of curl I just get a normal page back.

curl -e "http://www.google.co.uk/search?q=new+wine+ireland" --include http://www.newwineireland.org/
HTTP/1.1 302 Found
Date: Sun, 20 Nov 2011 11:44:17 GMT
Server: Apache
Location: http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555
Vary: Accept-Encoding
Content-Length: 239
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555">here</a>.</p>
</body></html>

The content of the response (after the headers) suggests that this is an Apache generated redirect and not a PHP generated one. Most people don't think to send a body when using the PHP header() function for redirects and that text matches exactly what an Apache generated body would look like.

To me, this means it's not a PHP file and it's not a javascript or meta redirect stored in your database.

Based on this I would suggest looking in Apache config files. Everything in /etc/apache (or /etc/httpd deoending on your distro) needs to be checked. It doesn't have to be a RewriteRule or even a Redirect. It could be an extra Include directive that loads the redirect from another file somewhere else. It could even be a directive that changes what .htaccess files are called.

A command that might help you find it is grep -r "sweepstakesandcontestsinfo" /etc/apache.

You didn't mention how you checked that it's not a .htaccess redirect. .htaccess is the most likely option because it usually doesn't require any special privileges to write one of those inside the document root.

If you haven't already done so, run this: find /var/www -name .htaccess but change "/var/www" to your document root.

If that doesn't find anything, try the same command but with / as the first argument. Obviously, you will have to check over each and every line in every .htaccess file you find.

If you find that some of your Apache config files are changed, then this attacker has root access on your box. The best response at that time is to take it offline and begin a proper cleanup. There are many questions on both here and security.SE about how to recover from a compromise once you have cleared up the immediate problem (which is the redirect).

Ladadadada
  • 25,847
  • 7
  • 57
  • 90
  • 1
    Found one .htaccess so far that had a rewrite rule. It was on the same server but for another site than the site I was trying to fix. It states: ` RewriteEngine On RewriteOptions inherit RewriteCond %{HTTP_REFERER} .*(msn|live|altavista|excite|ask|aol|google|mail|bing|yahoo).*$ [NC] RewriteRule .* http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555 [R,L] `Oddly enough I have not found one for this site in question yet. Did rename that .htaccess now, but am still trying to fix the redirect on the site in question – rhand Nov 21 '11 at 04:30
  • Emptied EE's cache, but still have the same redirect using Google or Yahoo. So the Apache redirect must still be somewhere. Grepped a lot of .htaccess files, even some in the logs folder, but found none in the site's folder that have a redirect. Also checked MSN and there I get the same redirect. NB As this is a Dreamhost virtual server and not a dedicated server or a VPS I do not have root access. Would also assume DH did not get hacked, but will ask them later today just in case – rhand Nov 21 '11 at 05:06
  • I have been going through the site to find the redirect leading to `http://sweepstakesandcontestsinfo.com/nl-in.php?nnn=555` for quite some time. Grepping through files and using find I have been checking all files and .htaccess files on the server. I founds one .htaccess added at another-domain.com with a redirect going to that same site, but I have not been able to find a PHP, meta or .htaccess redirect doing the redirecting in the domain in question. Even after looking extensively for suspicious and or compressed or obfuscated code the best way that I could. I am stunned. – rhand Nov 21 '11 at 08:51
  • Added Google Webmster verification file to the site and GWT cannot locate it on the server somehow while it is there. Caused by the redirect issue I guess. – rhand Nov 23 '11 at 04:56
  • Found another shell script in another site on the same home holder, but the redirect is still elusive. Also searched for PHP auto_append_file to see if a redirect was attached like that. No joy. We will wipe the site this week and start anew. – rhand Nov 29 '11 at 23:21