|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
January 19th, 2006, 10:26 PM
|
|||
|
|||
|
Solution to 777 directory hack problem?
I have been hacked twice now by somebody (or some script) that uploads an .htaccess file and a randomly named PHP script to any directories CHMODed 777 on my site. The .htaccess redirects any 404's to the PHP script that is uploaded and the PHP script redirects the user to a third party website. This has gotten me banned from Google because somebody the search engines grab a bunch of URLs pointing to the directory with random porn and warez phrases after the directory URL.
I can't CHMOD the affected directories (image directories) because of the nature of our website (images are uploaded on a constant basis), but I started thinking: What if I upload an .htaccess file that is CHMOD'd 644 and prevents PHP scripts from running in that directory? Would this work? What would I need to put in the .htaccess to prevent anything with a .php extension from running? Please overlook any ignorance that may be present (and probably is present) in this question -- I have very little knowledge of web security. Any help much appreciated... thanks... - B
|
|
#2
January 20th, 2006, 01:34 AM
|
||||
|
||||
|
Well, I think you need to fix your security problems, rather than looking for a band aid, because hackers are generally creative, and will probably find ways around what you're trying to do once they're in, but thats generally....
Find out how you were cracked, fix the hole,try to do an audit on your applications, and hope you don't get penetrated again. Having said that uploading a .htaccess which can only be written to as root may work, just as long as Apache isn't running as root *cringes at the thought*. But it all depends on how you were penetrated, if its simply a dodgy upload script, why not fix that and make life easier for yourself?
|
|
#3
January 20th, 2006, 01:58 AM
|
||||
|
||||
|
Kuza55's right - fix the problem first, rather than bandaiding it. Personally, I'd move the uploads folder outside the document root, so it's NOT accessible via the web. Next, I'd run a cron script to move any IMAGE files alone ( check the type, not just the extension ) into the web accessible directory. Next it should be possible to turn off php execution for a certain dir ( but you'll probably need to do it in your httpd.conf file ), I've never done it, but it shouldn't be too hard to google up a solution.
--Simon
__________________
|
|
#4
January 20th, 2006, 02:39 AM
|
||||
|
||||
|
Quote:
Code:
AddType text/plain .php Code:
AddType application/x-httpd-php-source .php I would also do an examination of your server to make sure no malware has been installed on there, just in case.... And Simon, why would you upload outside the web root and then do checks with a cronjob? Wouldn't it be just as easy to do checks when the images are being uploaded? And you would then not have any malicious files even touching the file system outside a temporary directory.....which should be cleaned anyway.... I've also got a quick question, is there any way to make PHP reject file uploads except from certain scripts (I know mod_security simply disables all of them, but is there a way to dissalow them, but to allow files to be sent to certain pages? Pages which would delete the items in question from the temp folder if they didn't pass the security checks....)?
|
|
#6
January 20th, 2006, 08:54 AM
|
|||
|
|||
|
Quote:
Yeah, it's public hosting. AllowOverride is on, so I can change the PHP filetype to text, thanks for the code to do it, couldn't seem to Google it last night. I don't think they did this through a file upload script, the upload script for these images is in an Apache auth protected area, I think it was done as a direct result of the directory being CHMOD'd 777 -- there were two other directories on my server that were CHMOD'd 777 (deeply nested directories inside two statistics scripts I had installed) and both of these other directories were hit as well. How do they upload to these directories? Through a browser?!?!??! I just don't understand the mechanism without them actually FTP'ing in... I am going to move the images outside of the web accessible area and move them with a CRON job, but with my limited abilities it may take a while to figure it out and get it working so I'll utilize the bandaid for now.  Thanks for all the help...
|
|
#7
January 20th, 2006, 03:26 PM
|
|||
|
|||
|
Quote:
I highly suspect you have a phpnuke/gallery or one of those apps with as many security holes as swiss cheese. - Get an uptodate version - find a similar app but with fewer security holes Can you show us the logs of the actual-hacks-in progress?
|
|
#8
January 20th, 2006, 09:20 PM
|
|||
|
|||
|
I think I found it (if not something like it)... the attack had already occurred in those image directories at this point but this is the first mention of the GStats directory and the support directory in relation to weird stuff. All of these log entries were in one straight block of lines: (EDIT: All of these directories mentioned in the following block of requests were the directories that were affected)
Code:
208.185.80.98 - - [24/Sep/2005:22:14:01 -0400] "GET /images/properties/listings/100x75px/mosehtmbrq HTTP/1.0" 200 6344 "-" "Mozilla/4.0 (Yahoo!)" 208.185.80.98 - - [24/Sep/2005:22:14:01 -0400] "GET /images/properties/listings/320x240px/tsyrhvjoir HTTP/1.0" 200 6598 "-" "Mozilla/4.0 (Yahoo!)" 208.185.80.98 - - [24/Sep/2005:22:14:02 -0400] "GET /images/properties/listings/40x30px/rbyeoywdla HTTP/1.0" 200 6042 "-" "Mozilla/4.0 (Yahoo!)" 208.185.80.98 - - [24/Sep/2005:22:14:03 -0400] "GET /images/properties/listings/640x480px/mqyfhivmpy HTTP/1.0" 200 6529 "-" "Mozilla/4.0 (Yahoo!)" 208.185.80.98 - - [24/Sep/2005:22:14:04 -0400] "GET /images/properties/listings/280x210px/yoqeibucpk HTTP/1.0" 200 6016 "-" "Mozilla/4.0 (Yahoo!)" 208.185.80.98 - - [24/Sep/2005:22:14:04 -0400] "GET /images/properties/mls/vaiiefflkf HTTP/1.0" 200 5920 "-" "Mozilla/4.0 (Yahoo!)" 208.185.80.98 - - [24/Sep/2005:22:14:05 -0400] "GET /images/properties/mls/320x240px/ggpgqupsvt HTTP/1.0" 200 5989 "-" "Mozilla/4.0 (Yahoo!)" 208.185.80.98 - - [24/Sep/2005:22:14:06 -0400] "GET /images/temp/vdsanrkhep HTTP/1.0" 200 6185 "-" "Mozilla/4.0 (Yahoo!)" 208.185.80.98 - - [24/Sep/2005:22:14:06 -0400] "GET /support/web/eqgyjasiqe HTTP/1.0" 200 5972 "-" "Mozilla/4.0 (Yahoo!)" 208.185.80.98 - - [24/Sep/2005:22:14:07 -0400] "GET /statistics/gstats/images/graphs/woynemtfma HTTP/1.0" 200 6449 "-" "Mozilla/4.0 (Yahoo!)" But all these are just requests, right? I don't see anything that shows an upload of a file -- what would I be looking for? Here some of the hits on the non-existent URLs that were forwarding to the russian search engine via the .htaccess and script (to further clarify what was happening): Code:
4.153.215.62 - - [24/Sep/2005:22:14:57 -0400] "GET /images/properties/listings/640x480px/warez.lingvo.dictionary.crack.html HTTP/1.1" 302 5 "http://www.google.com/search?q=File+Scavenger+key&hl=en&lr=&rls=GGLG,GGLG:2005-38,GGLG:en&start=30&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; PeoplePal 6.2)" 203.144.143.7 - - [24/Sep/2005:22:16:09 -0400] "GET /images/properties/listings/640x480px/crack.diary.ru.html HTTP/1.1" 302 5 "http://www.google.co.th/search?q=dvd-cloner%2Bcrack&hl=th&lr=&start=10&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; FDM)" 65.214.44.167 - - [24/Sep/2005:22:16:13 -0400] "GET /images/properties/listings/640x480px/C.Sony.Ericson.T600.html HTTP/1.0" 404 0 "-" "Mozilla/2.0 (compatible; Ask Jeeves/Teoma; +http://sp.ask.com/docs/about/tech_crawling.html)" 69.66.166.173 - - [24/Sep/2005:22:16:14 -0400] "GET /images/properties/listings/640x480px/ghost.7.5.warez.download.html HTTP/1.1" 302 5 "http://www.google.com/search?q=rmt-u110&hl=en&hs=aPL&lr=&client=firefox-a&rls=org.mozilla:en-US:official_s&start=10&sa=N" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6" 71.97.0.181 - - [24/Sep/2005:22:16:49 -0400] "GET /images/properties/listings/640x480px/Evanescene.-.Hello.mp3.-.download.html HTTP/1.1" 302 5 "http://www.google.com/search?num=50&hs=KPL&hl=en&lr=&newwindow=1&safe=off&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial_s&q=dap+7.1+serial&btnG=Search" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4" 220.225.137.242 - - [24/Sep/2005:22:17:05 -0400] "GET /images/properties/listings/640x480px/sexkey.user.id.list.login.download.html HTTP/1.0" 302 0 "http://www.google.co.in/search?q=key+of+dr.divx&hl=en&lr=&start=10&sa=N" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
|
|
#9
January 20th, 2006, 09:52 PM
|
|||
|
|||
|
BTW, the IP on those suspicious requests resolves to Lomag.net which is a service that provides web hosting and *shell accounts* -- am I safe to assume that this is the source of my problem? Also that IP performed the same requests on other days also, so I am assuming it is an automated script of some type.
Also, I found these same type of requests by the same IP a few days before any of this activity started -- the first requests by this IP were on August 29th, Google visited the non-existent URLs on September 6th and then all hell broke loose on the 8th.
|
|
#10
February 26th, 2006, 06:54 PM
|
|||
|
|||
|
These hacks are done by an automated script that scans the server for any directories with write permissions.
While this will not stop you from being hacked it will stop any automated scans from finding your directory. Chmod your public_html folder to 711
|
|
#11
April 7th, 2006, 05:19 PM
|
|||
|
|||
|
Serch Engine Spiders
Quote:
Hi, This is a good solution to prevent them to find the directories. Thanks a lot! My website is hacked several times and they have uploaded fake PayPal pages and ... to cheat people. It can be really dangerous for webmasters. My question is can Chmoding the public_html folder to 711 prevent the search engines spiders from crawling the website? Best regards, Vahid
|
|
#12
April 7th, 2006, 05:20 PM
|
|||
|
|||
|
Quote:
This can not cause your website to get banned by Google. If it was like that, the tinyurl.com was banned long time ago.
|
|
| Viewing: Dev Shed Forums > System Administration > Security and Cryptography > Solution to 777 directory hack problem? |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
