Hacked again

Anything related to the www.jpatch.com webpage or this forum.

Hacked again

Postby sascha » Wed Nov 26, 2008 4:17 pm

The site (jpatch.com) has been hacked again, with tons of porn links appended to each page served. First I couldn't find anything, because apparently none of the source html- or php-files contained any of these links. So I suspected that the entire web-server has been hacked and opened a support ticket. After opening a second support ticked on the subject, they've finally pointed me to a crafted .htaccess file with the following content:
Code: Select all
RewriteEngine On
RewriteRule ^$ /gallery/include/archive/linkator.php [NC,L]
RewriteRule ^(.*)/$ /gallery/include/archive/linkator.php [NC,L]

RewriteRule ^(.*)\.p*html*$ /gallery/include/archive/linkator.php [NC,L]

RewriteCond %{REQUEST_URI} !gallery/include/archive/linkator.php$
RewriteCond %{REQUEST_URI} !gallery/include/index.php$
RewriteRule ^(.*)\.php[345]*$ /gallery/include/archive/linkator.php [NC,L]

Neat, isn't is?

I haven't found many references to this kind of attack on Google, so I post it here, maybe it helps others who have been attacked: watch out for manipulated .htaccess files!

The site should now be free of porn again (my apologies to anyone who might have been offended by the links, or worse, infected with some kind of virus/worm/trojan/etc.). I've changed all passwords again and removed some bogus ftp accounts. I can only hope that this won't happen again any time soon.

I really fail to understand why people are doning this. If a site is unmaintained, it probably won't generate many hits, and if it's maintained, the links will be online a few days at most, so where's the point?
sascha
Site Admin
 
Posts: 2792
Joined: Thu May 20, 2004 9:16 am
Location: Austria

Re: Hacked again

Postby dcuny » Wed Nov 26, 2008 5:31 pm

Bleah. :(

At work, we maintain a parallel system, and the files (including source code) are checked on a regular basis. If there's been an unauthorized change, it's automatically rolled back. Unfortunately, I doubt your ISP offers a similar service. :?
dcuny
 
Posts: 2902
Joined: Fri May 21, 2004 6:07 am

Re: Hacked again

Postby sascha » Wed Nov 26, 2008 5:55 pm

If there's been an unauthorized change, it's automatically rolled back. Unfortunately, I doubt your ISP offers a similar service.

I've had some ideas along that line, but they're difficult to implement. One is to check the modification dates of directories and files, but things like phpBB also store files on disk (cache, attachments, etc.), so I'd have to add exceptions for some directories.

It would be nice if providers offered a means to "lock" the site. FTP uploads would only be possible when it's unlocked, and each time it gets unlocked a mail is sent to its owner, to quickly detect mischief.

Anyway, this wasn't the first time jpatch.com became subject to vandalism, so I did some research on Google and found that a lot of people are complaining about the provider that hosts jpatch.com (servage.net). I guess I'll move the site to a new host eventually, probably sooner than later.
sascha
Site Admin
 
Posts: 2792
Joined: Thu May 20, 2004 9:16 am
Location: Austria


Return to Webpage

Who is online

Users browsing this forum: No registered users and 3 guests

cron