Oh dear. Here come the script kiddies

Sometimes you can feel so naive and trusting.

I spent a happy couple of hours removing spam files from my web server last night. I hadn’t realised they were spam. I hadn’t been compromised myself. There was no sign they were there without a good look at the file system. But thanks to the rubbishness of my host, Dataflame, I found out about them and took them away.

The story goes likes this. Yesterday, I noticed that pages on my server were disappearing. One moment they’d be there, the next minute you’d get a 500 error if you tried to access. Then they’d be back again.

I checked my server log to see if anything was up. I noticed there were a whole load of errors cropping up only that day about the permissions being wrong on my files.

Odd. They had the same permissions as they’d always had and there’d never been any problems before.

So I used Dataflame’s online chat to speak to tech support.

“You have the wrong permissions. They should be 755.”

But they’ve always worked before. And if the permissions are wrong, why is the fault so intermittent?

“You have the wrong permissions. They should be 755.”

Why is the fault intermittent?

“We’ve installed phpexec.”

When did you install that?

No reply. Then “It should be fine. Please check.”

It’s an intermittent fault. What should I be looking out for?

No reply.

Okay. But why is the fault intermittent?

“You have the wrong permissions. They should be 755.”

Actual technical support or crude bot? I don’t know.

Anyway, I reconfigured Movable Type’s configuration file to output files and folders with 755 permissions. I then had a look at my file system to see which permissions I had on files and folders outside my blog.

Which is when I noticed the bad files. They were all over the place, with names like remote.php, finfo.php, errors.php, and always accompanied by an .htaccess file.

It was the latter that really set the alarm bells ringing. I’d spotted the files before and assumed they’d been generated either by Movable Type or by Dataflame, since they didn’t do anything too awful and looked like error reporting tools.

.htaccess files, on the other hand, shouldn’t be there at all.

So then I began to wonder why they were there. A quick Google of the filenames revealed that I was not alone in finding them on my filesystem. And they weren’t good news.

It looks as though some script kiddies were going around exploiting flaws in various people’s PHP scripts. These flaws would give the kiddies access at the Apache/PHP level to the file system. They then went around installing files these files into all the directories they could find.

Here’s what these files do. Whenever someone got a 404 error, because of an incorrect link or some other mistake, the .htaccess file would intercept the error and pass it to one of these files. The files would then encode the request and send it off to some servers in Russia. It would also redirect the unlucky person to a web site in Russia of spam.

The general aim of the operation was to get high Google rankings for their spam sites, by setting up inbound links on compromised web servers.

Now, it seems clear that Dataflame knew about this. phpexec is a program that forces php to run as the user running the script, rather than Apache. This means that PHP will only have access to your part of the server, rather than the whole server. So it’s likely that a script installed by someone on my shared server was compromised (in February, judging by the dates on the files, although that’s none too reliable), which led to the entire server being compromised. And this is Dataflame’s belated response.

Of course, it would have been better if they’d just told me, rather than letting me find out the hard way. But there you go.

So I’ve now deleted all the evil spam files. Hopefully Google will find out about it soon and ditch the naughty pages from its index. All the permissions on my files are good for phpexec work, and I’m not getting those errors in my logs any more.

Bloody script kiddies.