Extra CGI parameter - some kind of hack

#1

Sorry the title is vague but I really don’t understand what’s going on. I’ve been getting hits on my site that look like genuine URLs but have an extra CGI parameter, unknown to my system, that when present causes a completely incorrect page to be delivered, full of references to Viagra and Cialis. The extra parameter is ignored by my code and there’s nothing on my site that can generate the extra content. I replaced all my PHP files but it makes no difference. A typical such request is

http://therivierawoman.com/index.php?module=articles&page=features&qw=774

The critical extra parameter is &qw=nn where nn is some number. When I make the same request from my browser, sometimes I get a 503 error, but when I take off the extra parameter my page loads normally. This suggests some other server is actually delivering the hacked pages.

I can’t see how to diagnose this because the $_REQUEST I receive (if I get one at all) bears little resemblance to the request typed into the browser. It seems the &qw parameter is being intercepted somewhere and passed to a malware server somewhere, then a random request is made to my site and the results of the two merged before delivery. The oddest thing is the injected text is ABOUT the drugs concerned but there are no links that take the reader to a site selling the stuff.

I tried changing the qw to something else - at random - but I get normal page loads every time, which I’d expect as the parameters are ignored. So what’s so special about qw?

Baffled

#2

Looks like someone have changed your index.php, or some include-file on index.php.

#3

I’ve seen a few cases like this where a .htaccess file has been uploaded (or modified) without your knowledge. Check for that, and/or write in to DreamHost Support (c/o the Abuse/Security Department) for help!

#4

I thank you sir for hitting the nail right on the head. There was indeed an .htaccess file I didn’t create; it has a file creation date of three years ago, before the website went live. Contents are:

RewriteEngine On RewriteBase / RewriteCond %{QUERY_STRING} (^|&)(qw|vprx|rfq|xfn|ifle)= RewriteCond %{REQUEST_URI} !protect\.php$ [NC] RewriteRule (.*) /fckeditor/editor/filemanager/browser/default/images/icons/32/protect.php [L,NS,QSA] RewriteBase / # protect all before

none of which means a thing to me, but I note there’s “qw” in there. Down in the fckeditor directory (which is only there because I haven’t finished changing everything over to the latest ckeditor), in amongst the icons, there’s a highly suspicious looking PHP file. I’ve quarantined it and the .htaccess file and the site looks to be normal again.

The date on the .htaccess file is earlier than the point I started using fckeditor; in fact it’s earlier than when the site was created, so I assume the problem was in the version I downloaded.

Any further light would be most interesting, but I reckon the job is done and many thanks are due to andrewf. This forum is worth its weight in gold!

#5

The old creation date is probably bogus — it can be fudged, if you know how.

Get FCKEditor properly up to date, or remove it until you can. Some older versions have bugs that will allow a PHP file to be uploaded to your server, which is almost certainly what happened here.

#6

This exact thing just happened to me as well for 2 domains located on dreamhost… I contacted support but am wondering if this is a server level issue…

I’m not running FCKEditor they hid the file in a php lib directory…

FWIW…the “qw” appears somewhat random… for my issues they used different letters and hid the file protect.php file somewhere else.

#7

Most of the instances of this issue which I’ve seen have been related to insecure, outdated versions of software. Open a ticket with Support about the issue — we have some tools for scanning for old versions, as well as for cleaning up after hacks.

#8

Thanks!
The sites are indeed running some outdated software… I submitted a support ticket as soon as I found it and cleaned up. So hopefully we will get to the bottom of it soon.

The hacks are relatively easy to detect/correct now that I know about 'em. My main concern is just shutting the open door that they found :slight_smile: