staging server compromised - Teh Forum

<body> <div id="header"> <span class="left"> <span class="back"><a href="lthread_list.php?webtag=DEFAULT"><span class="image mobile_back" title="Back"></span></a></span> <span class="image mobile_logo" title="Beehive Forum Logo"></span> </span> <ul> <li> <a class="reply_all" href="lpost.php?webtag=DEFAULT&reply_to=41882.0&return_msg=41882.1"> <span class="image mobile_reply_all"></span><span class="text">Reply to All</span> </a> </li> <li> <a class="navigation" href="#"> <span class="image mobile_navigation"></span><span class="text">Show messages</span> </a> </li> <li> <a class="main" href="#"><span class="image mobile_menu" title="Menu"></span> </a> </li> </ul> </div> <div class="menu main"> <ul> <li><a href="lthread_list.php?webtag=DEFAULT">Messages</a></li> <li><a href="lpm.php?webtag=DEFAULT">Inbox</a></li> <li><a href="lsearch.php?webtag=DEFAULT">Search</a></li> <li><a href="llogon.php?webtag=DEFAULT">Login</a></li> </ul> </div> <div class="menu navigation"><a href="lmessages.php?webtag=DEFAULT&msg=41882.1">1–6</a></div> <div id="page_content"> <h3 class="thread_title"><a href="index.php?webtag=DEFAULT&amp;msg=41882.1">staging server compromised</a> </h3> <div id="messages" data-navigation="41882_1_6_10"> <a name="a41882_1"></a><div class="message" id="message_41882_1"> <div class="message_header"> <div class="message_from"> From: CHYRON (DSMITHHFX)<span class="message_time"> 8 Feb 2017 17:06</span> <div class="clearer"></div> </div><div class="message_to">To: ALL<span class="message_count">1 of 6</span><div class="clearer"></div> </div> </div> <div class="message_links"> <a href="lmessages.php?webtag=DEFAULT&msg=41882.1">41882.1</a></div> <div class="message_body"> While testing out some SEO stuffs on a seldom-used work staging server hosted by a cheap, popular and notoriously insecure Ginormous Hosting Beast of a Gazillion Shared Hosting Accounts, I noticed an odd url was flagged in Google search console. The html file "Caught-son-nfuck-dbvv.html" it pointed to does not exist (or no longer exists) on the site root. Anyway I checked out the htaccess file: <div class="quotetext"><strong>Code:</strong> </div> <pre class="code"> RewriteEngine On RewriteCond %{ENV:REDIRECT_STATUS} 200 RewriteRule ^ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR] RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing) RewriteRule ^(.*)$ compromising-eyes.php?$1 [L]</pre> Which was completely unfamiliar to me, the last I had any htaccess truck was to enable php in html files quite a few years ago. So I deleted it (now the site has no htaccess, and no php in html which is ok because haven't using doing it anyway).<br /><br /> Also, there's no "compromising-eyes.php" file currently on the site root<br /><br /> Then I had a look at the access logs and noticed a good deal of strange activity perhaps related to the hacked htaccess, here's an example entry:<br /> ---<br /> 157.55.39.237 - - [04/Feb/2017:00:22:59 -0700] "GET [workdomain].com/~[workdomain]/Porn-rubs-her-body-cock-dbvv.html HTTP/1.1" 404 2865 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +<a href="http://www.bing.com/bingbot.htm">http://www.bing.com/bingbot.htm</a>)" 0 "redirect-handler" "/var/chroot/home/content/26/6769926/html/.errordocs/404.html" 31777 6769926<br /> ---<br /> [domain name changed to protect the innocent].<br /><br /> One thing many (perhaps all) of these entries include is "-dbvv" appended to the filenames.<br /><br /> So it would appear the staging server was being used as a porn search redirect engine of some sort.</div> <div class="message_footer"> <div class="message_footer_links"><a href="lpost.php?webtag=DEFAULT&reply_to=41882.1&return_msg=41882.1" class="reply"><span class="image post"></span>Reply</a></div> <div class="message_vote_form" data-msg="41882.1"> <span class="rating">0/0</span> <span class="image vote vote_down vote_down_off" title="Vote Down"></span> <span class="image vote vote_up vote_up_off" title="Vote Up"></span> </div> </div> </div><a name="a41882_2"></a><div class="message" id="message_41882_2"> <div class="message_header"> <div class="message_from"> From: william (WILLIAMA)<span class="message_time"> 9 Feb 2017 09:16</span> <div class="clearer"></div> </div><div class="message_to">To: CHYRON (DSMITHHFX) <span><span class="image post_read" title="Read: 9 Feb 2017 10:30"></span></span> <span class="message_count">2 of 6</span><div class="clearer"></div> </div> </div> <div class="message_links"> <a href="lmessages.php?webtag=DEFAULT&msg=41882.2">41882.2</a> In reply to <a href="lmessages.php?webtag=DEFAULT&msg=41882.1#a41882_1" target="_self">41882.1</a></div> <div class="message_body"> I live in constant fear that they are going to take over my raspberry pi owncloud server <span class="emoticon e_sad" title=":("><span class="e__">:(</span></span><br /><br /> More seriously, will you be staying with Ginormous Hosting Beast of a Gazillion Shared Hosting Accounts? And are you able to give its real name? <br /><br /> </div> <div class="message_footer"> <div class="message_footer_links"><a href="lpost.php?webtag=DEFAULT&reply_to=41882.2&return_msg=41882.1" class="reply"><span class="image post"></span>Reply</a></div> <div class="message_vote_form" data-msg="41882.2"> <span class="rating">0/0</span> <span class="image vote vote_down vote_down_off" title="Vote Down"></span> <span class="image vote vote_up vote_up_off" title="Vote Up"></span> </div> </div> </div><a name="a41882_3"></a><div class="message" id="message_41882_3"> <div class="message_header"> <div class="message_from"> From: CHYRON (DSMITHHFX)<span class="message_time"> 9 Feb 2017 10:36</span> <div class="clearer"></div> </div><div class="message_to">To: william (WILLIAMA) <span><span class="image post_read" title="Read: 9 Feb 2017 11:10"></span></span> <span class="message_count">3 of 6</span><div class="clearer"></div> </div> </div> <div class="message_links"> <a href="lmessages.php?webtag=DEFAULT&msg=41882.3">41882.3</a> In reply to <a href="lmessages.php?webtag=DEFAULT&msg=41882.1#a41882_2" target="_self">41882.2</a></div> <div class="message_body"> Godaddy<br /> <br /> We're not using it much for anything except last resort transfer of really large files since we have a no cap plan. Also for a backup staging server in case our main server (our hardware, our premises) goes down. In this case I was just being lazy since I'd already pointed google analytics at it. Which I suppose is a good thing else I'd have never discovered the problem.</div> <div class="message_footer"> <div class="message_footer_links"><a href="lpost.php?webtag=DEFAULT&reply_to=41882.3&return_msg=41882.1" class="reply"><span class="image post"></span>Reply</a></div> <div class="message_vote_form" data-msg="41882.3"> <span class="rating">0/0</span> <span class="image vote vote_down vote_down_off" title="Vote Down"></span> <span class="image vote vote_up vote_up_off" title="Vote Up"></span> </div> </div> </div><a name="a41882_4"></a><div class="message" id="message_41882_4"> <div class="message_header"> <div class="message_from"> From: william (WILLIAMA)<span class="message_time"> 9 Feb 2017 13:59</span> <div class="clearer"></div> </div><div class="message_to">To: CHYRON (DSMITHHFX) <span><span class="image post_read" title="Read: 9 Feb 2017 17:07"></span></span> <span class="message_count">4 of 6</span><div class="clearer"></div> </div> </div> <div class="message_links"> <a href="lmessages.php?webtag=DEFAULT&msg=41882.4">41882.4</a> In reply to <a href="lmessages.php?webtag=DEFAULT&msg=41882.1#a41882_3" target="_self">41882.3</a></div> <div class="message_body"> Still, doesn't fill one with confidence as a customer.<br /><br /> Back when I was gainfully employed, our public service customers all used exclusively in-house or third-party but un-shared servers in un-shared data centres. A good part of the job of the more IT literate management was to resist the incessant and increasing calls from politicians to 'stick everything' on Amazon or Godaddy or IaaS etc. Frightening really.</div> <div class="message_footer"> <div class="message_footer_links"><a href="lpost.php?webtag=DEFAULT&reply_to=41882.4&return_msg=41882.1" class="reply"><span class="image post"></span>Reply</a></div> <div class="message_vote_form" data-msg="41882.4"> <span class="rating">0/0</span> <span class="image vote vote_down vote_down_off" title="Vote Down"></span> <span class="image vote vote_up vote_up_off" title="Vote Up"></span> </div> </div> </div><a name="a41882_5"></a><div class="message" id="message_41882_5"> <div class="message_header"> <div class="message_from"> From: Peter (BOUGHTONP)<span class="message_time"> 9 Feb 2017 22:45</span> <div class="clearer"></div> </div><div class="message_to">To: ALL<span class="message_count">5 of 6</span><div class="clearer"></div> </div> </div> <div class="message_links"> <a href="lmessages.php?webtag=DEFAULT&msg=41882.5">41882.5</a></div> <div class="message_body"> Anyone wilfully using GoDaddy for any purpose deserves what they get.</div> <div class="message_footer"> <div class="message_footer_links"><a href="lpost.php?webtag=DEFAULT&reply_to=41882.5&return_msg=41882.1" class="reply"><span class="image post"></span>Reply</a></div> <div class="message_vote_form" data-msg="41882.5"> <span class="rating">+1/1</span> <span class="image vote vote_down vote_down_off" title="Vote Down"></span> <span class="image vote vote_up vote_up_off" title="Vote Up"></span> </div> </div> </div><a name="a41882_6"></a><div class="message" id="message_41882_6"> <div class="message_header"> <div class="message_from"> From: CHYRON (DSMITHHFX)<span class="message_time">10 Feb 2017 01:04</span> <div class="clearer"></div> </div><div class="message_to">To: Peter (BOUGHTONP) <span><span class="image post_read" title="Read: 10 Feb 2017 02:03"></span></span> <span class="message_count">6 of 6</span><div class="clearer"></div> </div> </div> <div class="message_links"> <a href="lmessages.php?webtag=DEFAULT&msg=41882.6">41882.6</a> In reply to <a href="lmessages.php?webtag=DEFAULT&msg=41882.1#a41882_5" target="_self">41882.5</a></div> <div class="message_body"> Yeah probably. Yo mama.</div> <div class="message_footer"> <div class="message_footer_links"><a href="lpost.php?webtag=DEFAULT&reply_to=41882.6&return_msg=41882.1" class="reply"><span class="image post"></span>Reply</a></div> <div class="message_vote_form" data-msg="41882.6"> <span class="rating">0/0</span> <span class="image vote vote_down vote_down_off" title="Vote Down"></span> <span class="image vote vote_up vote_up_off" title="Vote Up"></span> </div> </div> </div></div> </div> </body>