-1

Possible Duplicate:
My server's been hacked EMERGENCY

My site is hacked and I've asked yesterday about this issue.

I've changed the FTP password, the server password. I also have change the location of the server where it use to be in the folder of MAMP now I changed it to somewhere else and it is still happening.

What happen is that all the sites being replace with .htaccess with all the redirection to some random russian site and end up forwarded to baidu.com which is Chinese search engine.

I have the most up to date Wordpress and all the plugin is disabled even I did removed them all.

First I though only one of them is being affected, but it turn out to be all the site in the same server got affected by replace the .htaccess

I don't know which step I should take to solve this problem now. I have also download my site (3.5GB) and did some search with Notepad++ and using command line like grep to find if there is any php file that is doing that kind of replacing the file and nothing really found.

I'm looking to solve this problem since yesterday and lost a lots of traffic of my site to them and I don't know what to do now.

Anyone please give me some suggestion.

I did a lots of researches and nothing really found yet.

I did chmod the .htaccess to permission 400 and they still can replace the file.

Community
  • 1
Ali
  • 300
  • 1
  • 4
  • 12
  • What's in your access_log? You need to know how they are getting in. Are you certain you don't have malware on your laptop? They could just be stealing your FTP password each time you change it. I know first-hand of a case where that was happening. If you want the files to stop being changed while you debug this, just `chattr -R +i ...` all the files (but don't do any cache directories or WP will fail) so even root can't change them (until you `chattr -R -i ...` them). – Jay Jun 10 '12 at 16:59
  • @JayShah Nothing suspecion on the access_log. My Mac OS X Xserver no one actually allow to use them at all so I don't think we have got any malware or any thing because we always monitor it and do a clean up cache every week. – Ali Jun 10 '12 at 17:00
  • Could you possibly do a `ls -la` (if you have SSH access) of the Web Root (or at least give us the MOD and OWN properties of your home directory, web root, .htaccess file, and wordpress installation folder). This is so we can have a better idea of what the file permissions are of folders, etc. Also assuming that you are using Apache, what version are you running, and what `user:group` is it running as. – Jason S Jun 10 '12 at 17:07
  • @JasonS my permission of the file is the same as `apache` for the group and owner and that is the same for all. – Ali Jun 10 '12 at 17:09
  • And the MOD properties? – Jason S Jun 10 '12 at 17:10
  • `-rw-r--r-- 1 Xserve _www 236 Jun 10 22:34 .htaccess` – Ali Jun 10 '12 at 17:11
  • `drwxrwxrwx 40 _www _www 1360 Jun 10 23:51 www` this is the root of the site. – Ali Jun 10 '12 at 17:11
  • @JasonS which is now not the same as the `apache` group and owner because for the group and owner of `apache` is `Xserve:admin` – Ali Jun 10 '12 at 17:15
  • Your issue is the the Web Root `www` is World Writable (the final w in drwxrwxrwx), allowing people to overwrite things such as .htaccess. – Jason S Jun 10 '12 at 17:18
  • so what I should change to? – Ali Jun 10 '12 at 17:22
  • 1
    `chmod 775 www` – Jason S Jun 10 '12 at 18:46

1 Answers1

3

You should have read the link provided when your last question was closed.

It's the only way to be sure

Community
  • 1
user9517
  • 114,104
  • 20
  • 206
  • 289
  • @lain, you mean the cgi answer? I don't really get that one what is really use because we are using Mac Xserver not sure it will really help :( – Ali Jun 10 '12 at 17:01
  • 1
    In my experience WAMP or MAMP = inexperience on setting up secure servers. WAMP + running as admin account = Nuke from space. MAMP + not understanding proper file permissions and daemon setup = Nuke from space. In both instances, the OS has been been compromised and that's why you can't get rid of the contagion. Bare Iron reinstall needed. – Fiasco Labs Jun 10 '12 at 17:21
  • @FiascoLabs Honestly I hated Mac server and really want to transfer to Linux, but the guy who set up linux server for us don't give us control to configure the server and he had set up very bad configuration which he asked us to use 777 on our wordpress site in order to allow install plugin and to use site without having the password :( – Ali Jun 10 '12 at 17:28
  • Ouch. Sorry for the bad experience. – Fiasco Labs Jun 10 '12 at 17:45
  • @Ali, No I mean [this one](http://serverfault.com/questions/397293/my-wordpress-site-being-hack-by-modifying-the-htaccess). You really are going to have to reinstall everything and recover from a backup. If you haven't got a backup then you've learned several things the hard way. In any case we can't help you. – user9517 Jun 10 '12 at 17:49