Apache-2.2

Apache 伺服器重定向來自 Google 的請求,受到攻擊?

  • April 11, 2012

我發現了一些非常可疑的東西。當通過 Google 連結連接到 www.pulseexpress.com 時,伺服器會將您重定向到一些非常可疑的站點,該站點會立即向您發送 .exe 文件:

# host www.pulseexpress.com
www.pulseexpress.com has address 173.236.189.124

# netcat 173.236.189.124 80
GET / HTTP/1.1
Host: www.pulseexpress.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20100101
Firefox/10.0.2 Iceweasel/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en-gb;q=0.8,en;q=0.6,de-de;q=0.4,de;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Referer:
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CDEQFjAA&url=http%3A%2F%2Fwww.pulseexpress.com%2F&ei=JfhkT_SuGYf40gG85MW_CA&usg=AFQjCNGlomNN7JWxEG7DUzbJyqnVFYkj7w&sig2=i5xsJPgIs1sbD6gpDzJ7OQ

HTTP/1.1 302 Moved Temporarily
Date: Sat, 17 Mar 2012 20:53:40 GMT
Server: Apache
Location: http://www.fdvrerefrr.ezua.com/
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html

但是,如果您直接在瀏覽器中輸入地址,則內容會正常提供:

# netcat 173.236.189.124 80
GET / HTTP/1.1
Host: www.pulseexpress.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20100101
Firefox/10.0.2 Iceweasel/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en-gb;q=0.8,en;q=0.6,de-de;q=0.4,de;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive

HTTP/1.1 200 OK
Date: Sat, 17 Mar 2012 20:53:51 GMT
Server: Apache
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Set-Cookie: e7c55e1c7796b5e5c04e0c55afd862ea=e427sf2eh4t11jno5c4pvaal40;
path=/
Set-Cookie: virtuemart=e427sf2eh4t11jno5c4pvaal40
Set-Cookie: ja_purity_tpl=ja_purity; expires=Thu, 07-Mar-2013 20:53:53
GMT; path=/
Last-Modified: Sat, 17 Mar 2012 20:53:53 GMT
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4428
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
[...]

我的猜測是這個系統已經被入侵了。此外,攻擊似乎並非微不足道,因為 Apache 配置必須以僅重定向一些請求的方式進行修改 - 可能是為了降低所有者註意到問題的可能性。

人們同意這種分析嗎?

這種條件重定向技術是新的和手工製作的,還是標準攻擊軟體套件中包含的例行程序?

是的,該網站已被入侵,雖然這是一個聰明的黑客攻擊,但它並不少見,我們在過去幾個月裡已經廣泛看到它。查找在過去幾天/幾週內修改過的 .htaccess 文件,它們將充滿瘋狂的mod_rewrite規則。保護站點,刪除/編輯損壞的文件(我會說“從備份中恢復”,但我什至已經放棄嘗試與那些習慣性執行易受攻擊的軟體並將其站點的 FTP 密碼保存在易受攻擊的桌面進入有一個體面的備份機制),並且該站點將再次正常。

引用自:https://serverfault.com/questions/370782