Joomla 网站 .htaccess 不断遭到黑客攻击
我正在运行 1.5.25,不知何故,我的根目录上不断创建 .htaccess 文件。
ErrorDocument 400 http:// redirected url index.php
ErrorDocument 404 http:// redirected url index.php index.php
ErrorDocument 500 http://redirected url /index.php
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr)\.(.*)
RewriteRule ^(.*)$ http://redirected url index.php [R=301,L]
</IfModule>
我想知道如何找出谁创建了此 .htaccess 文件,即使已删除。有没有办法找出哪个脚本创建了这个?哪个用户创建它?
以前遇到过这个问题的人吗?有没有办法可以创建 .htaccess 并禁止它被更改。应用 644 权限设置似乎没有帮助。
注意:我已将实际重定向 URL 更改为重定向 url index.php
I am running 1.5.25 and somehow a .htaccess file keeps getting created on my root.
ErrorDocument 400 http:// redirected url index.php
ErrorDocument 404 http:// redirected url index.php index.php
ErrorDocument 500 http://redirected url /index.php
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr)\.(.*)
RewriteRule ^(.*)$ http://redirected url index.php [R=301,L]
</IfModule>
I would like to know how to find out who creates this .htaccess file even when deleted. Is there a away to find out which script creates this? Which user creates it?
Anyone who has had this problem before? Is there a way I can create a .htaccess and disable it from being changed. Applying 644 permission setting does not seem to help.
NOTE: I have changed actual redirect URL to redirected url index.php
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
Erm 权限 644 意味着该文件至少可由所有者写入。我不知道服务器是如何设置的,也不知道网络服务器的所有者是您(ftp 用户)还是“无人”。
您可能拥有带有漏洞的过时版本的 Joomla 或过时且易受攻击的附加组件。有人利用漏洞将“Web shell”放入您的文件系统的可能性很高。这允许他连接到文件,并为他提供一个控制面板,其中包含编辑文件、上传文件、运行任意命令的选项。
可能是服务器上的另一个帐户受到威胁,然后该帐户中的文件会在服务器范围内进行编辑,或者至少在服务器上的任何可写文件/文件夹上进行编辑。
您确实应该从网络安全专家那里获得帮助,但如果您想尝试自己进行分析,请执行以下几个步骤。
在服务器上,您还可以使用“find”命令搜索文件系统,以查找最近 x 天或最近 x 小时内更改的文件。
您需要使该网站离线,联系您的主机并解释问题并查看他们可以提供哪些信息。您应该下载文件,并首先通过强大的病毒扫描程序运行文件(这些病毒扫描程序可识别当今的大多数 Web shell)。
在文件中搜索以下单词/模式 - grep 或类似的命令对此很有用:
web\s*shell
hacked\s*by
r57
c99
base64_decode
带有 \s* 的行是正则表达式。
最后一个将提供许多误报 - 检查每个文件是否有任何可疑的文件,这些文件看起来不像 Joomla 代码(显然需要一点熟悉才能发现)。
升级 Joomla 和任何具有最新版本的附加组件。首先在 http://exploit-db.com/ 中搜索“joomla”,看看是否有任何添加-on 已列出。
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_exploit_text=joomla&filter_platform=0&filter_type=0&filter_lang_id=0
有许多其他事情可以检查,并且可能应该检查 - 但这些是一个很好的起点 - 但我确实强调,最好保留以下人员的帮助对这件事有经验。反黑客服务通常起价为 500 英镑,最高可达约 1,000 英镑(800 美元 - 1600 美元)。
当您将网站重新上线时,请检查
register_globals 已关闭
短开放标签已关闭
确保通过 php.ini 中的 this disable_functions 指令禁用以下功能
disable_functions=exec、passthru、shell_exec、系统、proc_open、popen、curl_exec、curl_multi_exec、parse_ini_file、show_source
Erm permissions 644 means the file is writeable - by the owner at least. I don't know how the server is set up and whether the owner is you (the ftp user) or 'nobody' the web server.
Chances are you have either an outdated version of Joomla with a vulnerability or an outdated and vulnerable add-on. Chances are high that someone has used a vulnerability to drop a 'web shell' into your file system. This allows him to connect to the file and provides him with a control panel of options to edit files, upload files, run arbitrary commands.
It could be that another account on the server is compromised and then files within that account reach out and make edits server wide - or at least on any writable files/folders on the server.
You should really get help from a web security expert, but if you wish to try and do the analysis yourself here are a few steps to take.
On the server, you can also search the file system using the 'find' command, to find files changed in the last x days, or last x hours.
You need to take the site offline, contact your host and explain the issue and see what info they can provide. You should download your files and as a first measure run the through a powerful virus scanner (these identify most web shells nowadays).
Search through the files for the following words/patterns - grep or similar are useful for these:
web\s*shell
hacked\s*by
r57
c99
base64_decode
The lines with \s* are regular expressions.
The last one will provide many false positives - examine each file for anything suspicious, files that don't look like Joomla code (obviously requires a bit of familiarity to spot).
Upgrade Joomla and any add-ons that have more up-to-date versions. Start by searching http://exploit-db.com/ for 'joomla' and see if any of your add-ons are listed.
http://www.exploit-db.com/search/?action=search&filter_page=1&filter_exploit_text=joomla&filter_platform=0&filter_type=0&filter_lang_id=0
There are many many other things that can be checked, and probably should be checked - but these are a good starting point - but I do stress that it is best to retain the help of someone who is experienced at this stuff. De-hacking services typically start at £500 and rise to approx £1,000 ($800 - $1600).
When you put the site back live check that
register_globals are off
short open tags are off
Make sure the following functions are disabled via the this disable_functions directive in php.ini
disable_functions=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
对于安全的 Joomla 网站,您可以使用以下代码,只需编辑您的
.htaccess
文件,下面的文件就会为 Joomla 网站提供全面的保护。它还会使用 Joomla Core SEF 更新您的 URL(您必须启用它)。转到管理面板并更新 Apache 的模式/读写。您可以使用下面的代码
For a Secured Joomla site you can use below code, just edit your
.htaccess
file and below ships with full protection for Joomla site. Also It will update your URL using Joomla Core SEF(You have to enable it). Go to Admin panel and update your Mode/ReadWrite of Apache.You can use below code
您可以将以下代码用于您的 .htaccess 文件
下面是安全 .htaccess 文件的更多设置
You can use below code for your .htaccess file
Below are few more setting for a secure .htaccess file
我遇到了一个严重的问题,有人侵入了我的 .htaccess 文件,我唯一的解决方案是使该文件无法被黑客攻击。首先,我清理了所有 hack 的 .htaccess 文件和任何 PHP 文件。然后我将 .htaccess 文件的文件权限更改为 444(644 仍然允许访问)。然后我使用 shell 访问我的帐户来使文件“不可变”,这意味着它无法更改!
当您对 Linux 服务器上的帐户具有 shell 访问权限时,
输入以下内容: # chattr +i .htaccess
现在,即使具有 root 访问权限也无法更改该文件!
如果您需要撤消此操作,请输入: # chattr -i .htaccess
如果您没有帐户的 shell 访问权限,请要求您的网络主机输入此命令以使文件不可变。
对于非 Linux 帐户,只需根据您的 Web 服务器类型在 Google 或 Bing 中输入“使文件不可变”。这应该会为您提供所需的信息。
I had a serious problem with someone hacking into my .htaccess file and my only solution was to make the file unhackable. First, I cleaned up the .htaccess file and any PHP files of all hacks. Then I changed the file permissions to 444 (644 still allows access) on the .htaccess file. Then I used the shell access to my account to make the file "immutable", which means it cannot be changed!
When you have shell access to your account on your Linux server,
enter the following: # chattr +i .htaccess
Now, even those with root access cannot change the file!
It you need to undo this, enter: # chattr -i .htaccess
If you do not have shell access to your account, ask your web host about entering this for you to make the file immutable.
For non-Linux accounts, just enter "making file immutable" into Google or Bing for your type of web server. This should give you the information you need.
也许首先检查一下是否有任何 cronjobs 执行此操作(crontab -l)。一些托管面板具有清理操作,并且只允许使用其 UI 修改 .htaccess(因此它首先存储在数据库中)。
这也可能让你开始; http://www.infoq.com/articles/inotify-linux -文件系统事件监控
Maybe a good first check is to see if there are any cronjobs who do this (crontab -l). Some hosting panels have cleanup actions and only allow modification of the .htaccess by using their UI (so it gets stored in a database first).
This might get you underway as well; http://www.infoq.com/articles/inotify-linux-file-system-event-monitoring