FacebookTwitter
Hatrack River Forum Post New Topic  Post A Reply
my profile login | register | search | faq | forum home

  next oldest topic   next newest topic
» Hatrack River Forum » Active Forums » Books, Films, Food and Culture » Anyone know anything about Apache

   
Author Topic: Anyone know anything about Apache
Dagonee
Member
Member # 5818

 - posted      Profile for Dagonee           Edit/Delete Post   Reply With Quote 
My site has been hacked (again). This time, all the files are still intact - I've examined every single one I have access to.

The way it works is that almost any URL I type in goes to the same page. I've checked .htaccess to see if it's redirecting anything. Other than that, I'm not sure how this could be done short of a DNS spoofing attack, which I don't think it is.

Does know of what files I could look at to see if a redirect has been set up? Maybe some kind of weird caching? I don't know enough about Apache to know where to start.

Posts: 26071 | Registered: Oct 2003  |  IP: Logged | Report this post to a Moderator
TomDavidson
Member
Member # 124

 - posted      Profile for TomDavidson   Email TomDavidson         Edit/Delete Post   Reply With Quote 
Dag, both your site and the Seaton Prince site resolve to a location on secureserver.net. Is that in fact your host? If so, I suspect a hosting problem.
Posts: 37423 | Registered: May 1999  |  IP: Logged | Report this post to a Moderator
Dagonee
Member
Member # 5818

 - posted      Profile for Dagonee           Edit/Delete Post   Reply With Quote 
Can you see where dprhensim19.doteasy.com resolves? (How do you do that?) My host is doteasy, and this address is definitely my server.
Posts: 26071 | Registered: Oct 2003  |  IP: Logged | Report this post to a Moderator
Fahim
Member
Member # 5482

 - posted      Profile for Fahim   Email Fahim         Edit/Delete Post   Reply With Quote 
quote:
Originally posted by Dagonee:
Can you see where dprhensim19.doteasy.com resolves? (How do you do that?) My host is doteasy, and this address is definitely my server.

It redirects to a new port (19638) and ends up here:
https://dprhensim19.doteasy.com:19638/webhost/rollout/site

Seems to be some sort of Site Administration panel?

Posts: 136 | Registered: Aug 2003  |  IP: Logged | Report this post to a Moderator
Dagonee
Member
Member # 5818

 - posted      Profile for Dagonee           Edit/Delete Post   Reply With Quote 
Yep. It gives access to all the data on my site, and none of it appears to explain this behavior.

It thought it might be a redirect, but I don't have access to an httpd.config, so I can't check that.

Posts: 26071 | Registered: Oct 2003  |  IP: Logged | Report this post to a Moderator
Icarus
Member
Member # 3162

 - posted      Profile for Icarus   Email Icarus         Edit/Delete Post   Reply With Quote 
Apache dancing is sexy.

Does that help?

Posts: 13679 | Registered: Mar 2002  |  IP: Logged | Report this post to a Moderator
Fahim
Member
Member # 5482

 - posted      Profile for Fahim   Email Fahim         Edit/Delete Post   Reply With Quote 
I take it that you don't have access to the Apache config file itself? The redirect might be in the Apache config file - or if your default index file (index.htm, index.html, index.php) might have a redirect added to it by somebody ...
Posts: 136 | Registered: Aug 2003  |  IP: Logged | Report this post to a Moderator
Dagonee
Member
Member # 5818

 - posted      Profile for Dagonee           Edit/Delete Post   Reply With Quote 
I checked the default file - my index.php file is clean, and I don't have an index.htm or index.html file unless they're hidden.

I don't have access to the Apache config, so I think I'm stuck waiting for tech support to wake up tomorrow morning.

Posts: 26071 | Registered: Oct 2003  |  IP: Logged | Report this post to a Moderator
Demonstrocity
Member
Member # 9579

 - posted      Profile for Demonstrocity   Email Demonstrocity         Edit/Delete Post   Reply With Quote 
Apache?
Posts: 246 | Registered: Jul 2006  |  IP: Logged | Report this post to a Moderator
Icarus
Member
Member # 3162

 - posted      Profile for Icarus   Email Icarus         Edit/Delete Post   Reply With Quote 
Dude!

That is awesome!!!

[Big Grin]

Posts: 13679 | Registered: Mar 2002  |  IP: Logged | Report this post to a Moderator
fugu13
Member
Member # 2859

 - posted      Profile for fugu13   Email fugu13         Edit/Delete Post   Reply With Quote 
Its not in the HTML or Javascript

code:
~/Desktop% telnet princeclan.org 80
Trying 64.151.204.52...
Connected to princeclan.org.
Escape character is '^]'.
GET /
<html>

<head>
<META NAME="Title" CONTENT="ENO7 (TURKISH HACKER)">
<META NAME="Subject" CONTENT="HACKED BY ENO7 (TURKISH)">
<META NAME="Description" CONTENT="eno7 was here, HACKED BY TURKISH HACKER ENO7">
<META NAME="Distribution" CONTENT="Global">
<META NAME="Robots" CONTENT="All">

<meta http-equiv="Content-Language"

content="tr">
<meta name="GENERATOR"

content="Microsoft FrontPage 5.0">
<meta name="ProgId"

content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"

content="text/html; charset=windows-1254">
<title>ENO7 (TURKISH HACKER) "AYYILDIZ TIM DELTA SALDIRI TIMI"</title>
</head>
. . .


Posts: 15770 | Registered: Dec 2001  |  IP: Logged | Report this post to a Moderator
Dagonee
Member
Member # 5818

 - posted      Profile for Dagonee           Edit/Delete Post   Reply With Quote 
Yep. That code isn't anywhere on my server that I have access to. I'm very confused. [Frown]
Posts: 26071 | Registered: Oct 2003  |  IP: Logged | Report this post to a Moderator
fugu13
Member
Member # 2859

 - posted      Profile for fugu13   Email fugu13         Edit/Delete Post   Reply With Quote 
My suspicion is that the controller code for the CMS has been replaced such that it always regurgitates that.

BTW, have I mentioned how annoying I'd find the lack of shell access [Wink] ?

Looks like he sticks it in configuration.php or somesuch: http://forum.mamboserver.com/showthread.php?p=378826

Posts: 15770 | Registered: Dec 2001  |  IP: Logged | Report this post to a Moderator
fugu13
Member
Member # 2859

 - posted      Profile for fugu13   Email fugu13         Edit/Delete Post   Reply With Quote 
BTW, you should update your integrity checking script to send you the MD5s of all the files (have it skip image directories, or only do them rarely, or only MD5 the first few hundred bytes of a file), that'll make changes pop out at you.
Posts: 15770 | Registered: Dec 2001  |  IP: Logged | Report this post to a Moderator
Dagonee
Member
Member # 5818

 - posted      Profile for Dagonee           Edit/Delete Post   Reply With Quote 
OK, that's very strange. The modified date on the configuration.php file was very old - I'm not sure how they changed that without the date changing.

I've changed it to read only (only the owner had write access), hopefully that will help. But it's worrisome. How did they get owner access to that file?

Thanks for the help.

Posts: 26071 | Registered: Oct 2003  |  IP: Logged | Report this post to a Moderator
rivka
Member
Member # 4859

 - posted      Profile for rivka   Email rivka         Edit/Delete Post   Reply With Quote 
Eleven.
Posts: 32919 | Registered: Mar 2003  |  IP: Logged | Report this post to a Moderator
fugu13
Member
Member # 2859

 - posted      Profile for fugu13   Email fugu13         Edit/Delete Post   Reply With Quote 
I wouldn't be surprised if there's an exploit to mambo or one of the common modules that's not been publicized/patched. PHP CMS are known to be, with few exceptions, hives of security problems.

edit: you might be able to find it with some log audits, assuming he didn't edit those. I have some knowledge in that regard if you want me to take a look and can narrow in on some excepts based on exploit time.

Posts: 15770 | Registered: Dec 2001  |  IP: Logged | Report this post to a Moderator
Icarus
Member
Member # 3162

 - posted      Profile for Icarus   Email Icarus         Edit/Delete Post   Reply With Quote 
From GreNME:
quote:
The hack is a basic "SQL injection" hack, which is why you cannot find any instance of that HTML code in your files on the site. The HTML is located in your database and generated when the headers (or wherever the code was injected) are called by the site files.

To fix this, you need to get into your website control panel. Hopefully, you have access to your database to be able to edit tables. Depending on the type of control panel you have for it, you can perform a search for a string of that code (just a snippet should do). Or, if you had the foresight to back things up, you can restore from a backup. Once that is fixed, you should be able to get to your page in a reasonable condition.

If you need more help there, e-mail me and I'll do what I can to help. I can also help you harden your site against such things in the future, which would include adding a bit of extra code in the files but would mostly involve changing file and folder permissions to a slightly-different-than-instructed-but-totally-functional configuration that is the cause of many holes like this. In fact, most files for content management systems like mambo have to do with the "xmlrpc.inc" file or the folder that holds it (often called "includes").

I've recently dealt with this stuff and with forum software, so if you need assistance I will do what I can.


Posts: 13679 | Registered: Mar 2002  |  IP: Logged | Report this post to a Moderator
fugu13
Member
Member # 2859

 - posted      Profile for fugu13   Email fugu13         Edit/Delete Post   Reply With Quote 
Somewhat amusingly, he's wrong in this case, but he raises some legitimate security points.
Posts: 15770 | Registered: Dec 2001  |  IP: Logged | Report this post to a Moderator
Dagonee
Member
Member # 5818

 - posted      Profile for Dagonee           Edit/Delete Post   Reply With Quote 
I found out that the modified date doesn't update when they create a new file with the same name.

fugu, check your email. The file is configuration.php. The time it was created was 15:04 today.

Icarus, I'll take John up on that, but I can't until after the bar exam. If this happens again, I'm going to have to strip the site and put a "down until August" notice up.

Thanks, everyone!

Posts: 26071 | Registered: Oct 2003  |  IP: Logged | Report this post to a Moderator
   

Quick Reply
Message:

HTML is not enabled.
UBB Code™ is enabled.
UBB Code™ Images not permitted.
Instant Graemlins
   


Post New Topic  Post A Reply Close Topic   Feature Topic   Move Topic   Delete Topic next oldest topic   next newest topic
 - Printer-friendly view of this topic
Hop To:


Contact Us | Hatrack River Home Page

Copyright © 2008 Hatrack River Enterprises Inc. All rights reserved.
Reproduction in whole or in part without permission is prohibited.


Powered by Infopop Corporation
UBB.classic™ 6.7.2