Jump to content


Photo

Htaccess Hack


  • Please log in to reply
26 replies to this topic

#1 masson

masson

    New To The Neighborhood

  • Members
  • Pip
  • 11 posts

Posted 12 January 2006 - 04:56 PM

In my Movable Type archives directory, I noticed that in the archives directory and all of the subdirectories a .htaccess file had been inserted such that if a URL were entered to a file that did not exist within the archive directory, the person was redirected to a site with the URL: "search.ug". I removed all of the .htaccess files and changed my main password. I also saw a number of .php files in the archives subdirectories I believe to be suspect. However, I don't know enough about php files or the "normal" structure of Movable Type to know if those php files are legitimate or not.

Right now, my error log shows my site getting hit with archives request at the rate of about 15 per minute.

#2 TCH-Mark

TCH-Mark

    Forum Moderator

  • Members
  • PipPipPip
  • 175 posts

Posted 12 January 2006 - 04:59 PM

Hello,

The best thing to do right now is open a support ticket and let a tech look at your site, if your site has been hacked its best to get it checked straight away.

Welcome to the forums!

#3 masson

masson

    New To The Neighborhood

  • Members
  • Pip
  • 11 posts

Posted 12 January 2006 - 05:08 PM

Thanks. Ticket submitted.

#4 TCH-Bruce

TCH-Bruce

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 19,960 posts

Posted 12 January 2006 - 05:20 PM

Welcome to the forums masson :D

Bruce Richards
Forum Moderator
TotalChoice Hosting, Inc.
Webhosting by Total Choice Web Hosting - General Support Forum

I am a Forum Moderator. While I can assist in answering most of your hosting related questions, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.


#5 TCH-Rob

TCH-Rob

    Help Desk Manager

  • Members
  • PipPipPipPip
  • 7,797 posts

Posted 12 January 2006 - 05:40 PM

I went through 13 pages in Google looking for something related and I only found one thing that was remotely close. Here is a partial quote of what I found.

The hijackers had not only installed the downloader on all my archive pages (which I got rid of), but they also rewrote my htaccess file so that, if anyone clicked on a link that had nothing to go to, they would be redirected to the Search.ug page via the "configs.php" file they also uploaded to my server. My htaccess would read the php file, and redirect people when they clicked a bad link.

I redid my htaccess file and deleted the configs.php, and I now get my normal 404 page.

You also need to go through and check your permissions on your files on your server - I found *many* of mine were set to 666 and 777, when they should have been set to either 755 or 644.


Let us know how it goes and welcome to the forums.

#6 masson

masson

    New To The Neighborhood

  • Members
  • Pip
  • 11 posts

Posted 12 January 2006 - 06:51 PM

That was actually the site I came across that made me decide to just delete the .htaccess files.

#7 stevevan

stevevan

    Immediate Family

  • Members
  • PipPipPipPip
  • 3,522 posts

Posted 12 January 2006 - 07:24 PM

Welcome to the forums!
Steve, W4SJV

"When all else fails (and it will)...there's Amateur Radio!"
"It is better to let people THINK you're a fool than to open your mouth and remove all doubt."

#8 cajunman4life

cajunman4life

    Immediate Family

  • Members
  • PipPipPipPip
  • 1,137 posts

Posted 12 January 2006 - 08:42 PM

Welcome to the forums! :D
Aaron J. Graves

#9 TCH-Thomas

TCH-Thomas

    Volunteer Moderator

  • Members
  • PipPipPipPip
  • 14,907 posts

Posted 13 January 2006 - 03:35 AM

Welcome to the forum, masson. :flex:

Thomas Jikrantz
Forum Moderator
TotalChoice Hosting, Inc.

Any links or suggestions for third party software/sites should be used at your own risk. My opinions and recommendations are not necessary those of TCH and TCH is not responsible.

As a Forum Moderator I can assist in answering many of your hosting related questions. However, I am unable to answer questions about specifics relating to your account such as billing and server related issues. Should you need assistance in these areas, please contact our Help Desk or our many other options. Another good place to find answers is with our help pages, tutorials and movie tutorials.
Web Hosting by Total Choice Web Hosting - 24/7 Help Desk


#10 TCH-Don

TCH-Don

    Immediate Family

  • Members
  • PipPipPipPip
  • 11,642 posts

Posted 13 January 2006 - 08:26 AM

Welcome to the forum, masson :flex:

Did you get it all fixed?

#11 masson

masson

    New To The Neighborhood

  • Members
  • Pip
  • 11 posts

Posted 13 January 2006 - 09:51 AM

Did you get it all fixed?


Per the suggestion above, I submitted a ticket and it looks like it's been referred up the chain. Raj Nair advised that he locked down the problem directory and referred the matter to abuse.

#12 TCH-Mark

TCH-Mark

    Forum Moderator

  • Members
  • PipPipPip
  • 175 posts

Posted 13 January 2006 - 10:16 AM

Hey,

Sounds like its on its way to a resolution :flex:

#13 Head Guru

Head Guru

    Bill Kish Head Guru

  • Admins
  • PipPipPipPip
  • 6,797 posts

Posted 13 January 2006 - 12:43 PM

Not the first time we have seen this issue.

In your case it was caused by 777 permissions on a publicly accessible folder.

Watch your permisssions in the future.

Bill Kish

Head Cook and Bottle Washer

If you need help with your account or have any questions, please feel free to contact me using any of the contact methods below.  I can be reached 24 hours a day seven days per week.

Office :: 800-930-0485 x211
Mobile :: 248-632-3243

email: bill(at)totalchoicehosting.com

Instant Messenger -
AOL Instant Messenger: tchgurubill
Yahoo Messenger : tchgurubill
MSN Messenger : tchgurubill@hotmail.com

Thank you for your support and continued business


#14 click

click

    Distant Family

  • Members
  • PipPipPip
  • 138 posts

Posted 13 January 2006 - 02:54 PM

Not the first time we have seen this issue.

In your case it was caused by 777 permissions on a publicly accessible folder.

Watch your permisssions in the future.

Sorry to butt in, but I'm still a little confused by this. Does this mean that someone else on the server is doing this? Wouldn't they have to be logged onto the server before they could write to files, even if they are chmod 777? Also, the suggestion has been to have the help desk change any folders that need to be writable by scripts to be owned by "nobody" and chmod 755, which I have done. But, it seems to me that the most likely way a hacker would get access to the server would be through a vulnerablilty in a script, in which case, wouldn't they be accessing things as user "nobody" anyhow?

Sorry if I'm being a pain (and if I am, just say so and I'll go away :) ) but I still don't quite understand how people are getting access to these files and how to stop it.

#15 jayson

jayson

    Immediate Family

  • Members
  • PipPipPipPip
  • 634 posts

Posted 13 January 2006 - 03:01 PM

Sorry to also butt in, but I have been watching this thread, which files should not be a 777, I believe all my files are 755. Is that good or bad? I also have a forum. what should I set the files to.

If I am being a pain, I will also go away. :)
In loving of a pet that is now departed.
Rasputin:
Born: ?/?/1992 (adopted from a shelter)
Adopted: 10/2/1995
Passed away: 11/25/2006

#16 Head Guru

Head Guru

    Bill Kish Head Guru

  • Admins
  • PipPipPipPip
  • 6,797 posts

Posted 13 January 2006 - 03:12 PM

If a folder has 777 permissions anyone can write to it. This means my next door neighbor could upload a file to that folder and run it from a browser and thus execute that particular file on the server.

There at one point was a PHP (4.3.11) issue that would give a remote user full read/write permission to a 777 folder even if the folder was located in a 700 folder. This issue was corrected with the newest release of 4.4.1 PHP so that can not occur any longer. The new version of PHP respects top level paths.

People are gaining access to these files because the person or script that created the folders or files created them with world writable permissions. It really is that simple. I could change any of your files in a folder you set to 777. :)

Bill Kish

Head Cook and Bottle Washer

If you need help with your account or have any questions, please feel free to contact me using any of the contact methods below.  I can be reached 24 hours a day seven days per week.

Office :: 800-930-0485 x211
Mobile :: 248-632-3243

email: bill(at)totalchoicehosting.com

Instant Messenger -
AOL Instant Messenger: tchgurubill
Yahoo Messenger : tchgurubill
MSN Messenger : tchgurubill@hotmail.com

Thank you for your support and continued business


#17 click

click

    Distant Family

  • Members
  • PipPipPip
  • 138 posts

Posted 13 January 2006 - 03:48 PM

If a folder has 777 permissions anyone can write to it. This means my next door neighbor could upload a file to that folder and run it from a browser and thus execute that particular file on the server.

But your next door neighbor wouldn't be able to upload a file to that folder without first logging on to the server.

There at one point was a PHP (4.3.11) issue that would give a remote user full read/write permission to a 777 folder even if the folder was located in a 700 folder. This issue was corrected with the newest release of 4.4.1 PHP so that can not occur any longer. The new version of PHP respects top level paths.

That seems like a bad thing. :) But chmod 777 wouldn't have made a bit of difference in this case

People are gaining access to these files because the person or script that created the folders or files created them with world writable permissions. It really is that simple. I could change any of your files in a folder you set to 777. :)

This is where I really don't understand. I didn't think there was any such thing as "world writable" on *nix as there is no "guest" access to the server. Doesn't that just mean that all the users on that machine would have access to the file/folder? The rest of the world can't log onto the server and therefore shouldn't be able to do anything. Also, my understanding was that there was protection on the server to prevent access between accounts. Does this also mean that other users can read chmod 755 scripts that contain mysql passwords, etc?

Again... not trying to be a pest... (getting hard to believe, I'm sure ;) ) I just want to understand how these sites are getting hacked so mine doesn't join them!

#18 TCH-Rob

TCH-Rob

    Help Desk Manager

  • Members
  • PipPipPipPip
  • 7,797 posts

Posted 13 January 2006 - 04:04 PM

But your next door neighbor wouldn't be able to upload a file to that folder without first logging on to the server.

You do not need to log into the server per se, no username and password required. Just accessing the website is enough. All you need to do is know the path to the file in order to modify it if perms are set to 777.

In those numbers the first 7 tells what you, the owner of the file, have permission to do. The second one is the group's permissions. The last one tell us what everyone else in the world may do.

This is where I really don't understand. I didn't think there was any such thing as "world writable" on *nix as there is no "guest" access to the server. Doesn't that just mean that all the users on that machine would have access to the file/folder? The rest of the world can't log onto the server and therefore shouldn't be able to do anything.


There is world and again, it has nothing to do with "logging" on. There is guest access to the server. When a visitor comes to your site, they get there as a guest. Most of the time they only have read permissions though. If you give write and execute permissions, the last 7, then they can do whatever they want with that file.

Also, my understanding was that there was protection on the server to prevent access between accounts. Does this also mean that other users can read chmod 755 scripts that contain mysql passwords, etc?


There is protection against that but if you allow the world access to that file and they know the path then it makes no difference what we do. If a file has 755 perms then they cannot change it unless they compromise your account in some other way so that the server thinks you are the owner and they chmod the file to 777 as owner. At least as far as I understand things.

#19 click

click

    Distant Family

  • Members
  • PipPipPip
  • 138 posts

Posted 13 January 2006 - 04:12 PM

When a visitor comes to your site, they get there as a guest. Most of the time they only have read permissions though. If you give write and execute permissions, the last 7, then they can do whatever they want with that file.

When a user comes to my site, they are interacting with apache which is "logged in" as user "nobody"

[Edit] One other thing... The recomended way of securing these folders has been to change the owner to "nobody" and chmod 755, but if apache, php, etc is running as nobody, then they'd have write acess anyhow.[/Edit]

If a file has 755 perms then they cannot change it unless they compromise your account in some other way so that the server thinks you are the owner and they chmod the file to 777 as owner.

But they can read it? The actual file, not the output of being run by php? Would they then be able to access my mysql databases using the login info contained in those php files?

Edited by click, 13 January 2006 - 04:24 PM.


#20 TCH-Mark

TCH-Mark

    Forum Moderator

  • Members
  • PipPipPip
  • 175 posts

Posted 13 January 2006 - 04:31 PM

Hello,

Even though apache is running as nobody chmod 777 is basically an open door for anyone (including nobody) to access the file.

The 755 on a PHP has only exectue permissions by that when the file its accessed or run execute through PHP mean PHP will parse it and run it so they wouldn't be able to view or read the actual PHP code.

#21 click

click

    Distant Family

  • Members
  • PipPipPip
  • 138 posts

Posted 13 January 2006 - 04:48 PM

Isn't 755 read & execute permission? Wouldn't 711 be just execute permission? And wouldn't executing a php file require that php be able to read it. I can still read the source of php files that I've had the help desk chown nobody, chmod 755.

#22 MikeJ

MikeJ

    Big Gorilla

  • Members
  • PipPipPipPip
  • 2,369 posts

Posted 13 January 2006 - 05:09 PM

But they can read it? The actual file, not the output of being run by php? Would they then be able to access my mysql databases using the login info contained in those php files?


In a perfect setup, your files would not be readable without being parsed by the webserver (which means db passwords, etc.. would not be viewable if they are in a parsed file like PHP). The primary reason websites get "hacked" is usually because the site owner has installed a vulnerable script that allows an outsider to get around the webserver processing to gain access as the user "nobody" to that site (which is why 777 permissions are bad and should be avoided as much as possible).

To protect against someone using a vulnerabile script to upload their own files, you should avoid 777 if at all possible (some uploading and editing scripts though may require 777 for certain directories). Directories owned by the user nobody with owner write permissions would also fall under this.

To protect db passwords and other file content that you don't want viewed, you should be very selective in what you install in your account, and always keep the software you use up to date (watch for security patches). While we can do a lot to protect accounts from each other, we can only do so much to protect account owners from their own software.

Btw, I'm speaking generally here, not specific to anyone's incident.
<a href="http://twitter.com/skraggy" target="_blank">Twitter</a> | <a href="http://plurk.com/skraggy" target="_blank">Plurk</a>

#23 click

click

    Distant Family

  • Members
  • PipPipPip
  • 138 posts

Posted 13 January 2006 - 05:34 PM

OK. That is pretty much what I was trying to figure out. So, basically (if I understand correctly), having the help desk chown nobody, chmod 755 folders (as suggested here) is only marginally more secure overall and not secure at all (same as 777) if someone is taking advantage of a vulnerable script. Does this apply to vulnerable scripts in other users accounts as well?

Would putting the writable folder outside of my public_html folder help at all? Seems to me it wouldn't, but just thought I'd ask. Is there any way to secure a folder and allow php to write to it?

Seems like suexec would be much more secure in a shared environment, but I'm in over my head now as I don't know all the issues with implementing that. :)

Edited by click, 13 January 2006 - 05:35 PM.


#24 click

click

    Distant Family

  • Members
  • PipPipPip
  • 138 posts

Posted 13 January 2006 - 06:13 PM

On second thought, I guess suexec would give any scripts I am running complete access to ALL my files, rather than just those that are chmod 777. So, I guess my real question is whether vulnerable scripts in other users accounts can access my account.

Thanks everyone.

#25 Head Guru

Head Guru

    Bill Kish Head Guru

  • Admins
  • PipPipPipPip
  • 6,797 posts

Posted 13 January 2006 - 08:33 PM

No they can not.

Bill Kish

Head Cook and Bottle Washer

If you need help with your account or have any questions, please feel free to contact me using any of the contact methods below.  I can be reached 24 hours a day seven days per week.

Office :: 800-930-0485 x211
Mobile :: 248-632-3243

email: bill(at)totalchoicehosting.com

Instant Messenger -
AOL Instant Messenger: tchgurubill
Yahoo Messenger : tchgurubill
MSN Messenger : tchgurubill@hotmail.com

Thank you for your support and continued business


#26 click

click

    Distant Family

  • Members
  • PipPipPip
  • 138 posts

Posted 13 January 2006 - 09:09 PM

No they can not.

Excellent! So a folder that is writable by user nobody is only vulnerable to scripts that I am running, then. I was concerned that someone hacking an old script in another user's account might be able to reach across the server and mess with my files.

Thanks for your patience, everyone, and keep up the good work... I'll leave you alone now. :thumbup1:

#27 BluegrassGardener

BluegrassGardener

    Family Friend

  • Members
  • PipPip
  • 91 posts

Posted 29 October 2006 - 03:38 AM

Great discussion on this issue. I believe I finally understand :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users