.htaccess123

Client Joined: Oct 07, 2003 Posts: 735 Location: Ohio

I have a site that I help out from time to time. I did an overhaul for them to RavenNuke with Sentinal 2.4.2 a couple months ago. I ftp'd to their host and saw a strange .htaccess123 file.

Inside it said the following:

Code:

<!-- saved from url=(0036)http://www.ukleader.org.uk/index.htm -->


<html>





<head>


<title>HACKED By Amfibi-Slayer Hamd Olsun </title>


<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">


<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-9">


<meta name="KeyWords" content="Amfibi-Slayer,Hacker,hacked,Hacked By Amfibi-Slayer,galatasaray,cyber-security">





</head>

There is more to this file but I am not posting it.

If this was a hack attempt how did Sentinal not pick this up and how did this file get on the server?

Sells PC To Pay For Divorce Joined: Posts: 5661

well thats weird cause the marker .... is usualy inserted in case of copied websites.

registered · Posted: Wed Apr 19, 2006 4:07 pm

The "saved from url" line seems to result from IE. Why its on your server, no idea. But good to check access logs and make sure your software is up-to-date

registered · Worker Joined: Oct 07, 2003 Posts: 211

Quote:

In scenarios where HTML documents are downloaded from the web, you can add a "mark of the Web" comment placed in the HTML file to their Web pages. For example, you might add  to a Web page, where the (0023) value is the string length of your URL that follows it and Contoso is the name of your Web site. When Internet Explorer loads the file, it looks for a "saved from URL" comment, then reads the URL and uses the zone settings on the computer to determine what security policy to apply to the Web page. This Internet Explorer feature allows the HTML files to be forced into a zone other than the local zone, so that they can be assigned to the Internet zone and, with those reduced security privileges, run the script or ActiveX code.

In other words, that isn't a true .htaccess file. It is a web page. My guess what they are trying to do with the entire file is two fold.

1. Using this

Code:

<!-- saved from url=(0036)http://www.ukleader.org.uk/index.htm -->

will reduce the security zone in IE, thus allowing a script or hack on the page to run through IE that wouldn't normally be allowed to run with your normal security settings.

2. The remainder of the code (that which you did not post) I will bet is some type of IE exploit. Thus when the file is renamed to index.html or index.php and the user visits the site, by default their IE browser security zone is lowered and then a hostile script or code is run on your computer.

I would really do some serious looking into where this file came from. It is quite possible some type of spyware or malware is being added to a visitor's computer via IE.

Posted: Wed Apr 19, 2006 8:48 pm

Interesting, didn't know that. Dumb M$ products Wink

I don't see the exploit there.. I guess he took it out

Posted: Thu Apr 20, 2006 12:27 pm

I can zip this and pm the location for those who want to see.

registered · Posted: Fri Apr 21, 2006 8:22 am

Thanks Donovan, I wouldn't mind taking a look at it. I can forward to the others as needed to.