.htaccess file hacked, how to prevent this in future?

Question

The hacker added a code in .htaccess file to redirect all search engine traffic to a malware website. I am now investigating this incident and trying to find out security loop holes. My situation is almost similar to this person's - .htaccess being hacked repeatedly

Here's a sample of intrustion attempt from FTP logs -

    Aug  6 02:43:31 sg2nlftpg002 [30887]: (?@91.220.0.19) [INFO] FTPUSER is now logged in
    Aug  6 09:43:33 sg2nlftpg002 [30887]: (FTPUSER@91.220.0.19) [NOTICE] /home/content/81/7838581/html//.htaccess downloaded  (846 bytes, 106.37KB/sec)
    Aug  6 09:43:35 sg2nlftpg002 [30887]: (FTPUSER@91.220.0.19) [NOTICE] /home/content/81/7838581/html//.htaccess uploaded  (1435 bytes, 3.32KB/sec)
    Aug  6 09:43:35 sg2nlftpg002 [30887]: (FTPUSER@91.220.0.19) [INFO] Logout.

This is significantly different from my regular login attemps -

    Aug  7 10:57:53 sg2nlftpg002 [11713]: session opened for local user FTPUSER from [my.ip.address]
    Aug  7 10:58:28 sg2nlftpg002 [11713]: [FTPUSER] close "/home/content/81/7838581/html/.htaccess" bytes read 1435 written 0
    Aug  7 11:14:29 sg2nlftpg002 [11713]: [FTPUSER] close "/home/content/81/7838581/html/.htaccess" bytes read 0 written 846
    Aug  7 11:14:55 sg2nlftpg002 [11713]: [FTPUSER] close "/home/content/81/7838581/html/.htaccess" bytes read 846 written 0
    Aug  7 12:08:03 sg2nlftpg002 [11713]: session closed for local user FTPUSER from [my.ip.address]

I have gone through HTTP traffic logs but couldn't find anything suspicious over there.

Other information that might be useful:

I am on a shared host and the website runs on WordPress, BuddyPress and other popular plugins.
To my knowledge all software under my control uses latest versions and is updated regularly.
I use strong passwords and update them regularly. Only access website with SFTP and SSH using PUTTY.
My local machine is free from viruses.

My question is how to prevent such attacks in future?

UPDATE

Please see report from Google - http://www.google.com/safebrowsing/diagnostic?site=ask-oracle.com
Another report related to network I am hosted on - http://www.google.com/safebrowsing/diagnostic?site=AS:26496

Are you administrating the machine, or just one of the sites? How up to date are the WordPress/etc. installs that you *don't* control? How "Jailed" are your sites from each other? If someone gained root from another site on the same machine it really doesn't matter how up to date your stuff is or how secure (as secure as you could be without being root for the machine.) — Bart Silverstrim, Aug 09 '11 at 10:47
I am on a shared hosting and run one single website on it, all software are up to date. I cannot say much about account isolation but I have updated my question with more information. Do you think that I should ask my host to shift me to another machine? — Arpit Tambi, Aug 09 '11 at 11:01
No, your account password got compromised, there's no evidence of a server-wide intrusion. — womble, Aug 10 '11 at 00:06

score 4 · Answer 1 · answered Aug 09 '11 at 10:44

4

If they logged in over FTP, then your user account password is compromised and they're just FTPing up the modified file. Audit everywhere that's using your account password for password-collecting malware, then change the password to something secure. Also consider using a passwordless method of authentication (such as SSH public keys), but if your development machine is chock full of malware, it can just steal the key instead.

answered Aug 09 '11 at 10:44

womble

95,029
29
173
228

If you see the timestamps of intrusion attempt, see the hour and minute values, does it look like a bot? Also these are the only suspicious entries in the FTP logs. I believe my machine is free from malware (as reported by the scanner) and have already changed FTP password. I mostly use SSH to get things done. – Arpit Tambi Aug 09 '11 at 11:19
if you mostly use SSH, why don't you disable/delete the FTP accounts? – gravyface Aug 09 '11 at 11:40
There is only one ftp account which I had to create to setup the hosting through there control panel. There is no way to delete/disable it. – Arpit Tambi Aug 09 '11 at 11:51
Where did I make any suggestion that a bot was doing the FTP activity? And if there's no way to disable FTP, you need a new control panel -- that's an insanely stupid one you've got there. – womble Aug 10 '11 at 00:05

score 1 · Answer 2 · answered Aug 09 '11 at 11:24

As already mentioned the chances are that your FTP details have been compromised (normally from an infected Windows desktop PC somewhere I've found).

I've tested this in the past by purposely logging in with the wrong password from a suspected PC, only to see someone else try and login with the same wrong password 15 minutes later from a foreign IP address. Obviously the infected PC was sniffing the password and transmitting it back to the mother ship.

The most pratical thing to do is restrict where people can login to FTP from on your firewall. Password complexity or encryption will probably do you no good in this case, as the password is being stolen at source, and not being guessed or intercepted down the line.

In iptables something like this would work:

iptables -I INPUT -p tcp --dport 21 -s ! X.X.X.X -j DROP

(where X.X.X.X is the IP of your office/home where you connect from).

firewall tip is good, but he's on shared hosting; don't think he has control over iptables. — gravyface, Aug 09 '11 at 11:39
Thanks for the tip but it doesn't works. It says iptables: command not found. I am rescanning my local computer for virus using two different scanners, lets see. — Arpit Tambi, Aug 09 '11 at 11:52

score -1 · Answer 3 · answered Aug 09 '11 at 12:07

-1

Are you for FTP access using Total Commander? My friend had a virus that has collected all passwords from TC.

answered Aug 09 '11 at 12:07

Ivan N.

1

I am using FireFTP for firefox. It also has my passwords saved. – Arpit Tambi Aug 09 '11 at 12:11

score -1 · Answer 4 · answered Sep 08 '13 at 16:19

I had a serious problem with someone hacking into my .htaccess file and my only solution was to make the file unhackable. First, I cleaned up the .htaccess file and any PHP files of all hacks. Then I changed the file permissions to 444 (644 still allows access) on the .htaccess file. Then I used the shell access to my account to make the file "immutable", which means it cannot be changed!

When you have shell access to your account on your Linux server, enter the following: # chattr +i .htaccess

Now, even those with root access cannot change the file!

It you need to undo this, enter: # chattr -i .htaccess

If you do not have shell access to your account, ask your web host about entering this for you to make the file immutable.

Still, these are stopgap measures. The fact that your .htaccess file was edited without authorization is just a symptom of the hack. Who knows what other damage they have done to your server? — 200_success, Sep 08 '13 at 18:47
To be pedantic, anyone with root access can change the attributes back, as well. — Falcon Momot, Sep 08 '13 at 19:05

.htaccess file hacked, how to prevent this in future?

4 Answers4