Jump to content

Htaccess Hack

masson

By masson
in Abuse Related

 Share

Recommended Posts

masson Rookie

masson

Posted
Posted

In my Movable Type archives directory, I noticed that in the archives directory and all of the subdirectories a .htaccess file had been inserted such that if a URL were entered to a file that did not exist within the archive directory, the person was redirected to a site with the URL: "search.ug". I removed all of the .htaccess files and changed my main password. I also saw a number of .php files in the archives subdirectories I believe to be suspect. However, I don't know enough about php files or the "normal" structure of Movable Type to know if those php files are legitimate or not.

 

Right now, my error log shows my site getting hit with archives request at the rate of about 15 per minute.

Link to comment
Share on other sites
TCH-Rob Grand Master

TCH-Rob

Posted
Posted

I went through 13 pages in Google looking for something related and I only found one thing that was remotely close. Here is a partial quote of what I found.

 

The hijackers had not only installed the downloader on all my archive pages (which I got rid of), but they also rewrote my htaccess file so that, if anyone clicked on a link that had nothing to go to, they would be redirected to the Search.ug page via the "configs.php" file they also uploaded to my server. My htaccess would read the php file, and redirect people when they clicked a bad link.

 

I redid my htaccess file and deleted the configs.php, and I now get my normal 404 page.

 

You also need to go through and check your permissions on your files on your server - I found *many* of mine were set to 666 and 777, when they should have been set to either 755 or 644.

 

Let us know how it goes and welcome to the forums.

Link to comment
Share on other sites
masson Rookie

masson

Posted
  • Author
Posted
Did you get it all fixed?

 

Per the suggestion above, I submitted a ticket and it looks like it's been referred up the chain. Raj Nair advised that he locked down the problem directory and referred the matter to abuse.

Link to comment
Share on other sites
click Enthusiast

click

Posted
Posted
Not the first time we have seen this issue.

 

In your case it was caused by 777 permissions on a publicly accessible folder.

 

Watch your permisssions in the future.

Sorry to butt in, but I'm still a little confused by this. Does this mean that someone else on the server is doing this? Wouldn't they have to be logged onto the server before they could write to files, even if they are chmod 777? Also, the suggestion has been to have the help desk change any folders that need to be writable by scripts to be owned by "nobody" and chmod 755, which I have done. But, it seems to me that the most likely way a hacker would get access to the server would be through a vulnerablilty in a script, in which case, wouldn't they be accessing things as user "nobody" anyhow?

 

Sorry if I'm being a pain (and if I am, just say so and I'll go away :) ) but I still don't quite understand how people are getting access to these files and how to stop it.

Link to comment
Share on other sites
jayson Experienced

jayson

Posted
Posted

Sorry to also butt in, but I have been watching this thread, which files should not be a 777, I believe all my files are 755. Is that good or bad? I also have a forum. what should I set the files to.

 

If I am being a pain, I will also go away. :)

Link to comment
Share on other sites
Head Guru Grand Master

Head Guru

Posted
Posted

If a folder has 777 permissions anyone can write to it. This means my next door neighbor could upload a file to that folder and run it from a browser and thus execute that particular file on the server.

 

There at one point was a PHP (4.3.11) issue that would give a remote user full read/write permission to a 777 folder even if the folder was located in a 700 folder. This issue was corrected with the newest release of 4.4.1 PHP so that can not occur any longer. The new version of PHP respects top level paths.

 

People are gaining access to these files because the person or script that created the folders or files created them with world writable permissions. It really is that simple. I could change any of your files in a folder you set to 777. :)

Link to comment
Share on other sites
click Enthusiast

click

Posted
Posted
If a folder has 777 permissions anyone can write to it. This means my next door neighbor could upload a file to that folder and run it from a browser and thus execute that particular file on the server.

But your next door neighbor wouldn't be able to upload a file to that folder without first logging on to the server.

 

There at one point was a PHP (4.3.11) issue that would give a remote user full read/write permission to a 777 folder even if the folder was located in a 700 folder. This issue was corrected with the newest release of 4.4.1 PHP so that can not occur any longer. The new version of PHP respects top level paths.
That seems like a bad thing. :) But chmod 777 wouldn't have made a bit of difference in this case

 

People are gaining access to these files because the person or script that created the folders or files created them with world writable permissions. It really is that simple. I could change any of your files in a folder you set to 777. :)

This is where I really don't understand. I didn't think there was any such thing as "world writable" on *nix as there is no "guest" access to the server. Doesn't that just mean that all the users on that machine would have access to the file/folder? The rest of the world can't log onto the server and therefore shouldn't be able to do anything. Also, my understanding was that there was protection on the server to prevent access between accounts. Does this also mean that other users can read chmod 755 scripts that contain mysql passwords, etc?

 

Again... not trying to be a pest... (getting hard to believe, I'm sure ;) ) I just want to understand how these sites are getting hacked so mine doesn't join them!

Link to comment
Share on other sites
TCH-Rob Grand Master

TCH-Rob

Posted
Posted
But your next door neighbor wouldn't be able to upload a file to that folder without first logging on to the server.
You do not need to log into the server per se, no username and password required. Just accessing the website is enough. All you need to do is know the path to the file in order to modify it if perms are set to 777.

 

In those numbers the first 7 tells what you, the owner of the file, have permission to do. The second one is the group's permissions. The last one tell us what everyone else in the world may do.

 

This is where I really don't understand. I didn't think there was any such thing as "world writable" on *nix as there is no "guest" access to the server. Doesn't that just mean that all the users on that machine would have access to the file/folder? The rest of the world can't log onto the server and therefore shouldn't be able to do anything.

 

There is world and again, it has nothing to do with "logging" on. There is guest access to the server. When a visitor comes to your site, they get there as a guest. Most of the time they only have read permissions though. If you give write and execute permissions, the last 7, then they can do whatever they want with that file.

 

Also, my understanding was that there was protection on the server to prevent access between accounts. Does this also mean that other users can read chmod 755 scripts that contain mysql passwords, etc?

 

There is protection against that but if you allow the world access to that file and they know the path then it makes no difference what we do. If a file has 755 perms then they cannot change it unless they compromise your account in some other way so that the server thinks you are the owner and they chmod the file to 777 as owner. At least as far as I understand things.

Link to comment
Share on other sites
click Enthusiast

click

Posted
Posted (edited)
When a visitor comes to your site, they get there as a guest. Most of the time they only have read permissions though. If you give write and execute permissions, the last 7, then they can do whatever they want with that file.
When a user comes to my site, they are interacting with apache which is "logged in" as user "nobody"

 

[Edit] One other thing... The recomended way of securing these folders has been to change the owner to "nobody" and chmod 755, but if apache, php, etc is running as nobody, then they'd have write acess anyhow.[/Edit]

If a file has 755 perms then they cannot change it unless they compromise your account in some other way so that the server thinks you are the owner and they chmod the file to 777 as owner.

But they can read it? The actual file, not the output of being run by php? Would they then be able to access my mysql databases using the login info contained in those php files?

Edited by click
Link to comment
Share on other sites
TCH-Mark Collaborator

TCH-Mark

Posted
Posted

Hello,

 

Even though apache is running as nobody chmod 777 is basically an open door for anyone (including nobody) to access the file.

 

The 755 on a PHP has only exectue permissions by that when the file its accessed or run execute through PHP mean PHP will parse it and run it so they wouldn't be able to view or read the actual PHP code.

Link to comment
Share on other sites
click Enthusiast

click

Posted
Posted

Isn't 755 read & execute permission? Wouldn't 711 be just execute permission? And wouldn't executing a php file require that php be able to read it. I can still read the source of php files that I've had the help desk chown nobody, chmod 755.

Link to comment
Share on other sites
MikeJ Veteran

MikeJ

Posted
Posted
But they can read it? The actual file, not the output of being run by php? Would they then be able to access my mysql databases using the login info contained in those php files?

 

In a perfect setup, your files would not be readable without being parsed by the webserver (which means db passwords, etc.. would not be viewable if they are in a parsed file like PHP). The primary reason websites get "hacked" is usually because the site owner has installed a vulnerable script that allows an outsider to get around the webserver processing to gain access as the user "nobody" to that site (which is why 777 permissions are bad and should be avoided as much as possible).

 

To protect against someone using a vulnerabile script to upload their own files, you should avoid 777 if at all possible (some uploading and editing scripts though may require 777 for certain directories). Directories owned by the user nobody with owner write permissions would also fall under this.

 

To protect db passwords and other file content that you don't want viewed, you should be very selective in what you install in your account, and always keep the software you use up to date (watch for security patches). While we can do a lot to protect accounts from each other, we can only do so much to protect account owners from their own software.

 

Btw, I'm speaking generally here, not specific to anyone's incident.

Link to comment
Share on other sites
click Enthusiast

click

Posted
Posted (edited)

OK. That is pretty much what I was trying to figure out. So, basically (if I understand correctly), having the help desk chown nobody, chmod 755 folders (as suggested here) is only marginally more secure overall and not secure at all (same as 777) if someone is taking advantage of a vulnerable script. Does this apply to vulnerable scripts in other users accounts as well?

 

Would putting the writable folder outside of my public_html folder help at all? Seems to me it wouldn't, but just thought I'd ask. Is there any way to secure a folder and allow php to write to it?

 

Seems like suexec would be much more secure in a shared environment, but I'm in over my head now as I don't know all the issues with implementing that. :)

Edited by click
Link to comment
Share on other sites
click Enthusiast

click

Posted
Posted

On second thought, I guess suexec would give any scripts I am running complete access to ALL my files, rather than just those that are chmod 777. So, I guess my real question is whether vulnerable scripts in other users accounts can access my account.

 

Thanks everyone.

Link to comment
Share on other sites
click Enthusiast

click

Posted
Posted
No they can not.

Excellent! So a folder that is writable by user nobody is only vulnerable to scripts that I am running, then. I was concerned that someone hacking an old script in another user's account might be able to reach across the server and mess with my files.

 

Thanks for your patience, everyone, and keep up the good work... I'll leave you alone now. :thumbup1:

Link to comment
Share on other sites
  • 9 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...