Unusual hack. WordPress htaccess redirect for search engines only.

by WanderingTechy September 19, 2013

I had a couple of clients complaining that their wordpress sites had been hacked.

I went to their site and saw nothing out of place.  A quick check of their index.php file and database didn’t show anything up which is where they usual strike.

I requested further information at which point the clients finally mentioned that it was google that was saying the sites were compromised and showing pharmacy links.

With this new information a quick look at all the files in the site looking for the most recently modified.

ls -lat

is your friend here.

This showed that the most recently modified files were
.htaccess
session.php
common.php

A quick look in the files showed the cause and the problem.

# Apache search queries statistic module
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|aol|bing|crawl|aspseek|icio|robot|spider|nutch|slurp|msnbot) [OR]
RewriteCond %{HTTP_REFERER} (google|aol|yahoo|msn|search|bing)
RewriteCond %{REQUEST_URI} /$ [OR]
RewriteCond %{REQUEST_FILENAME} (shtml|html|htm|php|xml|phtml|asp|aspx)$ [NC]
RewriteCond %{REQUEST_FILENAME} !common.php
RewriteCond %{DOCUMENT_ROOT}/common.php -f
RewriteRule ^.*$    /common.php [L]
</IfModule>

The two php files were encrypted using

eval(base64_decode(...........))

As you can see the .htaccess file is checking to see if it is a search engine visiting and if so redirect to common.php  which pumps the pharma pages/links.
If is is a normal visitor ie you or me it returns the proper page.

The effect of this is to push the targeted sites up the search rankings by appearing more popular than they actually are.  Google have caught onto this ploy and now tag the sites as compromised.

To fix this simply delete all three files and reset the ftp password.

In case you are wondering the users were compromised because they used weak FTP passwords.   They have been educated on this now and a new password difficulty test has been put in place with respect to choosing new passwords.

To do a server wide test for this hack use the following command.

find /var/www/vhosts/*/httpdocs/.htaccess -print | xargs grep -l "common.php"

Obviously change the path if it is different on your server (this one is for a plesk/Centos server)

Small Script to delete 1 or more emails from postfix queue

by WanderingTechy August 6, 2013

#!/usr/bin/perl

$REGEXP = shift || die "no email-adress given (regexp-style, e.g. bl.*\@yahoo.com)!";

@data = qx</usr/sbin/postqueue -p>;
for (@data) {
if (/^(\w+)(\*|\!)?\s/) {
$queue_id = $1;
}
if($queue_id) {
if (/$REGEXP/i) {
$Q{$queue_id} = 1;
$queue_id = "";
}
}
}

#open(POSTSUPER,"|cat") || die "couldn't open postsuper" ;
open(POSTSUPER,"|postsuper -d -") || die "couldn't open postsuper" ;

foreach (keys %Q) {
print POSTSUPER "$_\n";
};
close(POSTSUPER);

I have this stored out of the system path in a file called “delfromq

Some examples

./delfromq "domainname.com"
./delfromq "MAILER-DAEMON"
./delfromq "full-email-address@domainname.com"

Sorry I can’t give credit for this script as I have had it for so long I forgot where I got it from.

Problem with php mail function bouncing emails back to postmaster.

by WanderingTechy August 6, 2013

A server I manage hosts around 200 sites each owned by different webmasters.  A number of these have form to mail style scripts.  A small problem is that the mailserver appears to be receiving emails from these scripts as anonymous@hostname.co.uk.   When an invalid email address is given on the form these bounces are going back to postmaster@hostname.co.uk.

I was asked to fix the scripts to ensure that the bounces go back to the $from field.  Here is a quick fix.

Append -f $to to the mail() line…  For example change

This

mail($to, $subject, $message, $headers);

To this

mail($to, $subject, $message, $headers, '-f $from');

protect wp-login.php and wp-admin using htaccess on a dynamic IP

by WanderingTechy January 2, 2013

Please note, I did this using a linux client on a linux server.  My desktop is linux mint and the server is Centos.  You can do it on Windows and OS/X but I can’t advise sorry.  This is quick and dirty tutorial aimed at those familiar with command lines and server operation.   You need SSH access to the server you are running your blog from.

The Problem:

My wordpress blog is getting blitzed with attempts on my wp-login.php file and wp-admin folder.  I want to block all access to these areas unless it is coming from my computer.

I tried a number of methods,  including but not limited to logging all attempts and adding them to my firewall or htaccess file.  This is an ongoing task and not suitable for long term use.

I am on a dynamic IP that changes each time I log into the computer.  So blocking by IP was not practical.  However….

I now use a combination of SSH to create a proxy, foxyproxy to only use this proxy when navigating to my wordpress install and htaccess to block all ip’s except the servers IP.

The Solution:

Read the rest of this entry »

Quick manual install of WordPress on Linux Mint.

by WanderingTechy December 24, 2012

This is just a quick run through.  I assume you have configured any vhosts and know your way around the command line.  It is written for a local install on Linux Mint.

cd to your working directory.
wget http://wordpress.org/latest.tar.gz
tar xvzf latest.tar.gz
mv wordpress/* .

The file ownerships are likely to be wrong so.
chown username.groupname * -R

Now setup the database;

mysql -p
create database wordpress
GRANT ALL PRIVILEGES ON wordpress.* TO “wordpressuser”@”localhost” IDENTIFIED BY “Uvh786sAx$”;
FLUSH PRIVILEGES;

Obviously change the directory, databasename, username and password to your own settings.

now go to the vhost/folder in your browser where you have saved your wordpress install to and click on create a configuration file.  fill in the details as per the mysql setup. Copy and paste the generated file into wp-config.php.

Follow the rest of the wizard.  That’s it.

Deleting emails from the postfix mailq by email address

by WanderingTechy July 6, 2012

To clean out some spam from the postfix mailq

mailq | tail -n +2 | gawk 'BEGIN { RS = "" } /email@domain.com/ { print $1 }' | tr -d '*!' | postsuper -d -

Centos 6.2 eth0 stops responding, ADDRCONF(NETDEV_UP): eth0: link is not ready.

by WanderingTechy June 12, 2012

This is becoming a Saga.  One of my new server went offline 2 days ago.  I logged in through a serial session and everything was fine apart from the networking not working.

/etc/rc.d/init.d/network restart

Failed…  Telling the cable wasn’t connected.   It was and the link was live.

A hard reboot brought it back up and I kept my fingers crossed it was a one off.  I knew at the back of my mind it wasn’t but I kept my fingers crossed anyway.

After much searching of the net I found this is a known problem across a lot of Redhat based distributions and affects the e1000e driver.

Last night the server went down again.  I found that the EPEL repo has an allegedly fixed driver.  I installed this and watched it for 2 hours.

rpm --import http://elrepo.org/RPM-GPG-KEY-elrepo.org
rpm -Uvh http://elrepo.org/elrepo-release-6-4.el6.elrepo.noarch.rpm
yum update
yum install kmod-e1000e
/sbin/shutdown -r now

I then went to bed at around 2AM this morning.  I was woken by the klaxon alarm on my BB telling me a server was down.  Yup the fix didn’t fix it.

Further research led me to add this line to my kernel options line in /boot/grub/grub.conf

pcie_aspm=off

It has been running all day.  I am not holding my breath at this time.  I have a feeling I may have to move to a different server at more expense if this doesn’t work.

Sorry for the disjointed nature of this post I am in a rush but wanted to get it posted today while it is fresh in my mind.

Rackspace cloud server using Arch Linux and pdns with sqlite 3 backend

by WanderingTechy June 2, 2012

Wow that title was a mouthful.

I need a tertiary DNS server that is remote from any of my current networks.  Doing this using a dedicated server is expensive so I am testing out Rackspace’s cloud service.

I decided to go with Arch, pdns and sqlite as this would allow me to have a minimal server.  I am attempting this on a 256Mb server but can upgrade if necessary.

As I have not used Arch Linux in anger as a server, I haven’t used Sqlite ever and I have only installed pdns once before and that install was 4 years ago and is still running this should be an interesting side project.

Read the rest of this entry »

More plesk mysql commands

by WanderingTechy May 9, 2012

To extract all the email information you need to recreate all mail accounts.

SELECT mail.mail_name,domains.name,accounts.password, mail.postbox, mail.redirect, mail.redir_addr, mail.mail_group,mail.autoresponder, mail.mbox_quota
FROM domains,mail,accounts
WHERE domains.id=mail.dom_id
AND accounts.id=mail.account_id
ORDER BY domains.name ASC,mail.mail_name ASC;

To extract all aliases

SELECT mail.mail_name, domains.name, mail_aliases.alias
 FROM mail, domains, mail_aliases
 WHERE mail.dom_id = domains.id
 AND mail.id = mail_aliases.mn_id;

List all plesk email accounts with password

by WanderingTechy May 9, 2012

If you need to view all the mailboxes and their passwords in plesk use this command via SSH.

/usr/local/psa/admin/bin/mail_auth_view