Dissecting a website attack through a compromised FTP account

hacking ftp .htaccess godaddy

Solution 1:

Something twinged as familiar while reading through your post. Then it hit me: I had seen this before, over a month ago, when trying to access a site for a game. See here - same behavior, the redirect action taken just on search engine referrers.

The domain name in your .htaccess looked familiar because my home computer's antivirus had made loud noises about it to me weeks ago.

And, wouldn't you know it, the host of the site that I'd observed this on? GoDaddy.

I don't think you got brute-forced or had your password compromised through any fault of your own; I think GoDaddy was the one compromised here. And I wouldn't put it past them to store the FTP passwords in plain text. Some more digging found this article suggesting the same; brute force protection may be the least of their issues.

Solution 2:

Easy! Don't use FTP. It transmits the credentials in plain-text and transmits all data in plain-text. It's one of the most insecure ways to transfer files. If your host doesn't support any other ways, find a new host.

Related

rkhunter error message, how to fix?
Zabbix server sends too many notifications
Newsyslog wildcards - rotate all logs in a directory
How do you set server specific ENV values in Nginx?
High disk I/O when cache is used?
What's the difference between "mirror" and "raid1" in LVM?
Should 127.0.0.1 and ::1 both be included in /etc/hosts file?
Why does Django's dev server use port 8000 by default?
CPU temperature spike in 90c+ only when plugged in
cloudflared: command not found in Ubuntu
Is the only way to add a quicklaunch in LXQt by mouse?
Terminal printing on file is being shrank with ellipses [duplicate]