Today I noticed that Google Chrome and Firefox were both telling me my website was a malware source, because it had been redirected to a URL at webarh.com (the nasty people) - obvious from the URL shown. This is a Red Hat Linux setup using php, mySQL and Apache, and here's what I did to diagnose and fix the problem, in case you get infected to...

First thing I did was figure out if it was a DNS hijack or a website attack. This can be done by resolving the domain name and ensuring it is the public IP of your web server.

[root@red3 /]# nslookup www.necessaryandsufficient.net
Server:         61.9.195.193
Address:        61.9.195.193#53

Non-authoritative answer:
www.necessaryandsufficient.net  canonical name = necessaryandsufficient.net.
Name:   necessaryandsufficient.net
Address: 121.210.117.191

[root@red3 /]# curl -s myip.dk | grep "IP Address" | egrep -o '[0-9.]+'
4
121.210.117.191
6
[root@red3 /]#

Since they both say 121.210.117.191, this indicates that it isn't a DNS attack. Something on the website is screwing things up. We can confirm this with another curl command...

[root@red3 /]# curl -i www.necessaryandsufficient.net | more

In the infected state you will see a 302 (redirect) to the nasty URL on webarh.com in the output to the command above. So something in the website config is redirecting. Given this is Apache with mod-rewrite perhaps someone has managed to setup new redirects. Let's do some simple string matching first up...

[root@red3 /]# grep -r "webarh" /var/www/

This threw up a bunch of .htaccess files that had redirect instructions to the nasty webarh.com URL. Killing those is the first step. Trying the site again, and the problem still wasn't fixed. There must be more nasty redirects lurking elsewhere, so I looked more closely to the output of the above command and saw a bunch of index.php files had some Javascript that was doing a redirect in code. Setting document.location.href = "whatever" tells the browser to go to the URL you specified (albeit with a depricated command), so you have to deftly trim out those nastry script tags with your favourite text editor.

Tried the website again and now the home page comes up but the links, Wordpress use seo-friendly SLUGs, don't work. Clearly this is because we've lost some of the URL rewrite rules from the base directory of the website. Luckily I have backups and that file hasn't changed in ages (until now) so a simple restore fixed that.

Things seem back up and running now, so let's figure out what caused all this in the first place and how to patch it. I did some Googling first then dived into the web server logs to confirm something I'd read about a phpMyAdmin security hole...

[root@red3 logs]# cd /usr/local/apache2/logs
[root@red3 logs]# grep "/scripts/setup.php" access_log

This threw up a massive scan (GET ...) of setup.php files for older versions of phpMyAdmin confirming what I'd seen posted about this attack. Most HTTP GETs had 500 "internal server" errors, but the file mentioned above returned a HTTP 200 code and the attacker posted to this file (see last 2 lines of output below).

125.16.9.12 - - [24/Nov/2010:08:00:52 +1100] "GET /phpMyAdmin-2.8.0-beta1/scripts/setup.php HTTP/1.1" 500 546
125.16.9.12 - - [24/Nov/2010:08:00:53 +1100] "GET /phpMyAdmin-2.8.0-rc1/scripts/setup.php HTTP/1.1" 500 546
125.16.9.12 - - [24/Nov/2010:08:00:53 +1100] "GET /phpMyAdmin-2.8.0-rc2/scripts/setup.php HTTP/1.1" 500 546
125.16.9.12 - - [24/Nov/2010:08:00:53 +1100] "GET /phpMyAdmin-2.8.0.1/scripts/setup.php HTTP/1.1" 500 546
125.16.9.12 - - [24/Nov/2010:08:00:54 +1100] "GET /phpMyAdmin-2.8.0.2/scripts/setup.php HTTP/1.1" 500 546
125.16.9.12 - - [24/Nov/2010:08:00:56 +1100] "GET /phpMyAdmin-2.8.0.4/scripts/setup.php HTTP/1.1" 500 546
125.16.9.12 - - [24/Nov/2010:08:00:56 +1100] "GET /phpMyAdmin-2.8.0/scripts/setup.php HTTP/1.1" 500 546
125.16.9.12 - - [24/Nov/2010:08:00:58 +1100] "GET /phpMyAdmin-2.8.1/scripts/setup.php HTTP/1.1" 500 546
125.16.9.12 - - [24/Nov/2010:08:01:21 +1100] "GET /pma/scripts/setup.php HTTP/1.1" 500 546
125.16.9.12 - - [24/Nov/2010:08:01:23 +1100] "GET /roundcube/scripts/setup.php HTTP/1.1" 500 546
125.16.9.12 - - [24/Nov/2010:08:01:23 +1100] "GET /scripts/setup.php HTTP/1.1" 500 546
125.16.9.12 - - [24/Nov/2010:08:01:24 +1100] "GET /sl2/data/scripts/setup.php HTTP/1.1" 500 546
125.16.9.12 - - [24/Nov/2010:08:01:27 +1100] "GET /sqlmanager/scripts/setup.php HTTP/1.1" 500 546
125.16.9.12 - - [24/Nov/2010:08:01:27 +1100] "GET /sqlweb/scripts/setup.php HTTP/1.1" 500 546
125.16.9.12 - - [24/Nov/2010:08:01:27 +1100] "GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 500 546
125.16.9.12 - - [24/Nov/2010:08:01:27 +1100] "GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1" 500 546
125.16.9.12 - - [24/Nov/2010:08:01:28 +1100] "GET /web/scripts/setup.php HTTP/1.1" 500 546
72.167.45.134 - - [26/Nov/2010:01:37:02 +1100] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 200 13723
72.167.45.134 - - [26/Nov/2010:01:37:03 +1100] "POST /phpMyAdmin/scripts/setup.php HTTP/1.1" 200 24975
92.240.68.95 - - [26/Nov/2010:03:22:27 +1100] "GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 200 13744
92.240.68.95 - - [26/Nov/2010:03:22:28 +1100] "POST /phpMyAdmin/scripts/setup.php HTTP/1.1" 200 13744

Essentially, the setup file for phpMyAdmin allows arbitrary PHP code injection, and the attacker exploited this to inject all these nasty redirects. See this article for more information.

You could upgrade phpMyAdmin but I don't use it much so it's gone. What a PITA.

Bookmark and Share