DevNetwork Forums

Ok guys, I'd love to hear thoughts on this one. I had a very strange thing happen to me today. I found out that my .htaccess file had been edited by _someone_ to have this in it:

I'm not entirely sure what all of that means. However, I now know that all my 404s were getting redirected to 87.248.180.88 (which seems to be spam/virus-ey). I discovered this by almost pure chance. I've alerted my hosting provider, have changed all my passwords, and removed all the code that I could find. However, I'm _very_ curious as to how this got into my .htaccess file.

I would be _very_ surprised if someone had guessed my password since it's rather strong (8+ characters, capitalization thrown in and numbers/special chars).
I'm pretty sure that none of the php scripts on my server have access to this file, but I could be wrong (?).
Any ideas?

if any of your forms allow uploading. need to check that they can only upload certain file types. I forgot to do this on one of my sites and that uploaded a .js file and ereased over 200gb of data from my server. it took about 2 weeks to reupload it all.

Are you on a shared host? It's possible that all users run PHP under the same userid which is a big security risk.

Check to see if something you did in your shared hosting control panel (if you used shared hosting) did this to you. If not, then you need to go to your web hosting provider to ask if they have an answer. If they don't have an answer, then yeah, you might have been hacked. They don't need to know your password -- there are exploits in certain packages and certain versions of Apache 1.5 and 2. You have to ensure your stuff is patched and up to date. Usually that's the job of your web hosting provider. So, for instance, if I were hacked on a shared host, I'd ensure I had good backups, find the one that worked, complain to my web hosting provider to keep the systems secure, and once everything was good again, I'd reupload my stuff from backup.

If it's mission critical, some people go this route. They use a separate DNS system like moniker.com to purchase their domains and host the DNS record for them. Then, they point them to a web hosting provider. They then get a completely separate but compatible web hosting provider that can also rehost their stuff and leave that out there for the time being. In the event of something like this, they just go to moniker.com and repoint their domain to the backup web host in order to have their stuff come back online quickly. In the meantime, the site owner (you) would then split up all the sites s/he owns across these two web hosts. When one starts to have trouble, they can move some or all the domains to the other.

It's true only if the TTL for DNS records is set to a very low value (e.g. 1hour), which is really rarely seen in DNS registrators.
The TTL is usually set to 86400 - 1 day.

Also, most of the sites use a DB server - it should be synchronized with the "new" one.

I like how you signed up just to agree with someone haha.