Technicalstaging server compromised

 

Press Ctrl+Enter to quickly submit your post
Quick Reply  
 
 
  
 From:  CHYRON (DSMITHHFX)  
 To:  ALL
41882.1 
While testing out some SEO stuffs on a seldom-used work staging server hosted by a cheap, popular and notoriously insecure Ginormous Hosting Beast of a Gazillion Shared Hosting Accounts, I noticed an odd url was flagged in Google search console. The html file "Caught-son-nfuck-dbvv.html" it pointed to does not exist (or no longer exists) on the site root. Anyway I checked out the htaccess file:
Code: 
RewriteEngine On

RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ compromising-eyes.php?$1 [L]
Which was completely unfamiliar to me, the last I had any htaccess truck was to enable php in html files quite a few years ago. So I deleted it (now the site has no htaccess, and no php in html which is ok because haven't using doing it anyway).

Also, there's no "compromising-eyes.php" file currently on the site root

Then I had a look at the access logs and noticed a good deal of strange activity perhaps related to the hacked htaccess, here's an example entry:
---
157.55.39.237 - - [04/Feb/2017:00:22:59 -0700] "GET [workdomain].com/~[workdomain]/Porn-rubs-her-body-cock-dbvv.html HTTP/1.1" 404 2865 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)" 0 "redirect-handler" "/var/chroot/home/content/26/6769926/html/.errordocs/404.html" 31777 6769926
---
[domain name changed to protect the innocent].

One thing many (perhaps all) of these entries include is "-dbvv" appended to the filenames.

So it would appear the staging server was being used as a porn search redirect engine of some sort.
0/0
 Reply   Quote More 

 From:  william (WILLIAMA)  
 To:  CHYRON (DSMITHHFX)     
41882.2 In reply to 41882.1 
I live in constant fear that they are going to take over my raspberry pi owncloud server :(

More seriously, will you be staying with Ginormous Hosting Beast of a Gazillion Shared Hosting Accounts? And are you able to give its real name? 

 
never trust a man in a blue trench coat, never drive a car when you're dead
0/0
 Reply   Quote More 

 From:  CHYRON (DSMITHHFX)  
 To:  william (WILLIAMA)     
41882.3 In reply to 41882.2 
Godaddy

We're not using it much for anything except last resort transfer of really large files since we have a no cap plan. Also for a backup staging server in case our main server (our hardware, our premises) goes down. In this case I was just being lazy since I'd already pointed google analytics at it. Which I suppose is a good thing else I'd have never discovered the problem.
0/0
 Reply   Quote More 

 From:  william (WILLIAMA)  
 To:  CHYRON (DSMITHHFX)     
41882.4 In reply to 41882.3 
Still, doesn't fill one with confidence as a customer.

Back when I was gainfully employed, our public service customers all used exclusively in-house or third-party but un-shared servers in un-shared data centres. A good part of the job of the more IT literate management was to resist the incessant and increasing calls from politicians to 'stick everything' on Amazon or Godaddy or IaaS etc. Frightening really.
never trust a man in a blue trench coat, never drive a car when you're dead
0/0
 Reply   Quote More 

 From:  Peter (BOUGHTONP)  
 To:  ALL
41882.5 
Anyone wilfully using GoDaddy for any purpose deserves what they get.
+1/1
 Reply   Quote More 

 From:  CHYRON (DSMITHHFX)  
 To:  Peter (BOUGHTONP)     
41882.6 In reply to 41882.5 
Yeah probably. Yo mama.
“Human Resources Startup Zenefits Is Laying Off Almost Half Its Employees”
0/0
 Reply   Quote More 

Reply to All    
 

1–6

Rate my interest:

Adjust text size : Smaller 10 Larger

Beehive Forum 1.5.2 |  FAQ |  Docs |  Support |  Donate! ©2002 - 2024 Project Beehive Forum

Forum Stats