FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 08-22-2012, 07:32 PM
Dr Beco
 
Default Hacked .htaccess redirect to htttp://reltime2012.ru/frunleh?9

Dear debianusers,

Does anyone knows how to protect against unauthorized change of .htaccess?

I googled the "htttp://reltime2012.ru/frunleh?9 redirect problem" and
found out that a lot of sites (mainly using wordpress) got hacked and
is redirected to a russian site.

One of my sites, that has joomla (and not wordpress) also got hacked (again).

In the beginning of the .htaccess one can read:

RewriteCond %{HTTP_REFERER}
^.*(google|ask|yahoo|youtube|wikipedia|excite|alta vista|msn|aol|goto|infoseek|lycos|search|bing|dogp ile|facebook|twitter|live|myspace|linkedin|flickr) .(.*)
RewriteRule ^(.*)$ htttp://reltime2012.ru/frunleh?9 [R=301,L]



I find some tutorials on how to fix the problem,

http://newmediamike.com/2012/07/reltime-2012-frunleh-redirection/

http://wptrainingonline.com/

But none of them explains how to protect and prevent the problem to
happen again. This google's forum has a post stating that

http://productforums.google.com/forum/#!topic/webmasters/GsB423gsIlk

" the sysadmin told me that there was a php script entitled
"jos_jpxn.php" running that was rewriting my .htaccess" (lickface)

But I found no such script among my files.

(Of course, I changed my password, but I don't really think that is
the problem...)


I know it is easy to fix. I just wonder if I can prevent that to
happen again. I'm considering to simple put a "cron job" that rewrites
my .htaccess from time to time!

Anyone else saw this problem?

Thanks,
Beco






--
Dr. Beco
A.I. research, Cognitive Scientist and Philosopher
Linux Counter #201942


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CALuYw2xm0Z0EBijgExpJyH0npkLxAJ11eb4idYAtoXvUW6m4o A@mail.gmail.com">http://lists.debian.org/CALuYw2xm0Z0EBijgExpJyH0npkLxAJ11eb4idYAtoXvUW6m4o A@mail.gmail.com
 
Old 08-22-2012, 07:41 PM
Henrique de Moraes Holschuh
 
Default Hacked .htaccess redirect to htttp://reltime2012.ru/frunleh?9

On Wed, 22 Aug 2012, Dr Beco wrote:
> Does anyone knows how to protect against unauthorized change of .htaccess?

If you have root access, try to use chattr to mark that file as
immutable (chattr +i).

But really, if they keep changing your .htaccess, it means they have
compromised the box, and will remain compromising it until you clean the
box (probably rebuild from scratch) AND close the security holes.

--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120822194159.GA29189@khazad-dum.debian.net">http://lists.debian.org/20120822194159.GA29189@khazad-dum.debian.net
 
Old 08-22-2012, 10:15 PM
Dr Beco
 
Default Hacked .htaccess redirect to htttp://reltime2012.ru/frunleh?9

Henrique de Moraes Holschuh, Wed, 22 Aug 2012 16:41:59 -0300:
>
> If you have root access, try to use chattr to mark that file as
> immutable (chattr +i).
>
> But really, if they keep changing your .htaccess, it means they have
> compromised the box, and will remain compromising it until you clean the
> box (probably rebuild from scratch) AND close the security holes.


Dear Henrique,

For this system I don't have root access. It is managed abroad by a
"host farm". I already wrote to them to report the (second) problem.

I hope they find the main problem now, instead of just giving another
quick fix.

Also, I cannot ask them to reinstall the system from scratch, as the
same server hosts more websites.


Thanks!

Beco







--
Dr. Beco
A.I. research, Cognitive Scientist and Philosopher
Linux Counter #201942


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/CALuYw2yDehk99ygBD+anf+FbJ+WT2J2MJ6KMpMQ=nqOpHdqAA Q@mail.gmail.com
 
Old 08-23-2012, 12:44 AM
Henrique de Moraes Holschuh
 
Default Hacked .htaccess redirect to htttp://reltime2012.ru/frunleh?9

On Wed, 22 Aug 2012, Dr Beco wrote:
> For this system I don't have root access. It is managed abroad by a
> "host farm". I already wrote to them to report the (second) problem.

I suggest you take your business elsewhere. You don't want to risk your
name/site/domain being associated with criminals because of some
el-cheap-o hosting farm can't do their job properly.

--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120823004420.GB19774@khazad-dum.debian.net">http://lists.debian.org/20120823004420.GB19774@khazad-dum.debian.net
 
Old 08-23-2012, 06:27 AM
shthead
 
Default Hacked .htaccess redirect to htttp://reltime2012.ru/frunleh?9

On 23/08/2012 3:32 AM, Dr Beco wrote:

One of my sites, that has joomla (and not wordpress) also got hacked (again).


Is your Joomla along with all components/skins etc. up to date? Many of
the hacked sites I look at are not up to date.



" the sysadmin told me that there was a php script entitled
"jos_jpxn.php" running that was rewriting my .htaccess" (lickface)


I quite often see Joomla sites that get hacked have a few PHP shells
dropped around the place that the attacker then uses to do other things
(reset passwords/change htaccess files/phising sites etc.).


Also, if it is shared web hosting are your permissions all set
correctly? Do you know how PHP is configured on the server? If the
permissions are wrong say on the configuration file and another site on
the same server gets hacked, they may be able to read your configuration
file, get the database details and reset/recover the admin password.


Personally I wouldn't trust a Joomla/Wordpress/whatever install once the
site has been comprimised like this - who knows what else has been
changed. It may be best to reupload the site/database from a backup if
you have one.





--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 5035CD63.9000809@shthead.net">http://lists.debian.org/5035CD63.9000809@shthead.net
 
Old 08-23-2012, 12:54 PM
Go Linux
 
Default Hacked .htaccess redirect to htttp://reltime2012.ru/frunleh?9

--- On Thu, 8/23/12, shthead <lists@shthead.net> wrote:

> From: shthead <lists@shthead.net>
> Subject: Re: Hacked .htaccess redirect to htttp://reltime2012.ru/frunleh?9
> To: debian-user@lists.debian.org
> Date: Thursday, August 23, 2012, 1:27 AM
> On 23/08/2012 3:32 AM, Dr Beco
> wrote:
> > One of my sites, that has joomla (and not wordpress)
> also got hacked (again).
>
> Is your Joomla along with all components/skins etc. up to
> date? Many of the hacked sites I look at are not up to
> date.
>

You are not alone. Noy long ago my webhost posted an announcement about Joomla and Wordpress sites on their servers getting hacked. Make sure you're updated to the latest version.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1345726481.39670.YahooMailClassic@web163402.mail.g q1.yahoo.com">http://lists.debian.org/1345726481.39670.YahooMailClassic@web163402.mail.g q1.yahoo.com
 
Old 08-24-2012, 02:26 PM
Camaleón
 
Default Hacked .htaccess redirect to htttp://reltime2012.ru/frunleh?9

On Wed, 22 Aug 2012 16:32:01 -0300, Dr Beco wrote:

> Does anyone knows how to protect against unauthorized change of
> .htaccess?

Uninstalling WordPress/Joomla/PHP-Nuke and all that "frameworking"
stuff?

Just kidding, but having this pre-made environments on you server
it poses a real risk, you have to care they are always updated and
using the latests patches.

(...)

> http://productforums.google.com/forum/#!topic/webmasters/GsB423gsIlk

(...)

> I know it is easy to fix. I just wonder if I can prevent that to happen
> again. I'm considering to simple put a "cron job" that rewrites my
> .htaccess from time to time!
>
> Anyone else saw this problem?

At the Google forum there's a link it can help you with this:

http://www.mastermindblogger.com/2011/14-ways-to-prevent-your-wordpress-blog-from-being-hacked/

So I guess there has to be a bunch of "how to protect joomla" articles out
there.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/k182vj$k87$7@ger.gmane.org
 

Thread Tools




All times are GMT. The time now is 08:44 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org