.htaccess being hacked repeatedly

Question

About 4 or 5 days ago, a client came back to me saying that their site was being redirected to some other suspicious looking website from Google, Yahoo, etc., but it was working fine when the user enters the site URL in the browser address bar directly.

I tried contacting my hosting provider, but they were little to no help at first and then seemed to take forever to find out the problem.

Frustrated by the wait, I set out to find what had happened. After a little bit of trawling on Google for solutions, I found out that my .htaccess file had been hacked.

What was:

<Files *>
Header set Cache-Control: "private, pre-check=0, post-check=0, max-age=0"
Header set Expires: 0
Header set Pragma: no-cache
</Files>

had become

<Files *>
Header set Cache-Control: "private, pre-check=0, post-check=0, max-age=0"
Header set Expires: 0
Header set Pragma: no-cache
</Files>
//several hundred empty lines later
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*baidu.* [OR]
RewriteCond %{HTTP_REFERER} .*youtube.* [OR]
RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR]
RewriteCond %{HTTP_REFERER} .*qq.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*bing.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.* [OR]
RewriteCond %{HTTP_REFERER} .*facebook.* [OR]
RewriteCond %{HTTP_REFERER} .*twitter.* [OR]
RewriteCond %{HTTP_REFERER} .*blog.* [OR]
RewriteCond %{HTTP_REFERER} .*live.* [OR]
RewriteCond %{HTTP_REFERER} .*myspace.* [OR]
RewriteCond %{HTTP_REFERER} .*mail.* [OR]
RewriteCond %{HTTP_REFERER} .*yandex.* [OR]
RewriteCond %{HTTP_REFERER} .*rambler.* [OR]
RewriteCond %{HTTP_REFERER} .*ya.* [OR]
RewriteCond %{HTTP_REFERER} .*aport.* [OR]
RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]
RewriteCond %{HTTP_REFERER} .*flickr.*
RewriteRule ^(.*)$ /*don't want to post the malicious URL here for fear of retaliation */[R=301,L]

Basically, the bot that hacked me seemed to write directions that all traffic coming from the important sites be redirected to the virus site.

I immediately fixed it by removing the offensive code, and felt very nice about my clever self. I also removed the .htaccess file from the main folder that is accessed by the public, and kept it one folder above, at the root. I also changed the permissions to 444, read only by anyone. I changed the passwords to my FTP access, my hosting control panel, MySQL databases, et al.

However, today the issue was back. Turns out that a NEW .htaccess file had been installed in my public_html folder, and this had only the offensive code I wrote above and nothing else.

What's going on?

I have a feeling that this is not a case of my passwords being compromised. I'm on shared hosting, and maybe someone on the same hard-disk wrote a piece of code that went about writing .htaccess files merrily to all its neighbors. Is this possible? And is there anything I can do make sure this does not happen again?

There is no way I can reinstall or do anything to the main OS of the host though...

user9517 · Answer 1 · 2010-09-24T09:25:33.490

6

Your site has been hacked. You need to wipe it and restore from a known good backup. Keep a copy of the hacked site and it's logs so that you can compare it to the good site and try to figure out how the site was compromised.

edited Sep 24 '10 at 09:25

answered Sep 24 '10 at 08:58

user9517

117,122

score 6 · Accepted Answer · edited Dec 12 '21 at 13:05

I found the roaches!

I did everything, including changing FTP password, hosting panel password, (painfully) wiping the whole 2GB and going through uploading it all back up, and changing database password.

They still got in.

The FTP logs showed nothing but my own actions. On top of that, the .htaccess file's last-modified-timestamp is exactly the same as my timestamp (whenever I corrected it from its repeated perversion) so there was no way to know when and how modifications took place. I guessed they were using filemtime() and touch() to do that.

It turns out the rogue files are getting in through an osCommerce installation. I do not how, but specifically, its getting through the administration area. In the admin folders, there's these foreign files called "google_analitis(sic)_somenumber". I noticed them on my main stats reader. I just looked at all the files that were being accessed (the normal logs) today, and by luck, the file got hacked again just today. I suspected there was a rogue script and lo-and-behold, these files have the spammer-stink written all over their filenames.

I opened them up and sure enough, they were up to a lot of mischief.

I just opened one of the files using the URL, and I was really surprised the amount of control these files were providing... it was a parallel control panel to the entire website!

Hope this helps someone... look at your third party apps, especially when you see a large number of unknown bots crawling up and down your site.

Imo · Answer 3 · 2010-09-24T09:09:39.233

It maybe an idea to check the FTP logs for the site, or, ask your provider to if you don't have access to them. It is quite possible that someone got your FTP details some how and updated the .htaccess file (normally they like editing index.* files). We have seen this many times with client computers being infected with a trojan or similar.

You said that you had removed the .htaccess file completely. This suggests they were able to create files. FTP access is most likely, but, also check the permissions on the primary directory (public_html) you files are in. Make sure they are not globally writable.

Generally it is not possible to edit/create files in other peoples sites on a shared server unless permissions are lax.

score 0 · Answer 4 · answered Sep 24 '10 at 09:21

Quick patch: find every directory that has public access. Into each directory create an empty .htaccess file, change its ownership to root, make it read-only, make the directory sticky (+t) so that users can only change files they own.

Then go read some documentation on securing websites and htaccess files (hint: it might be useful to work on your apache config files and play with the various flags).

score 0 · Answer 5 · answered Sep 08 '13 at 16:22

I had a serious problem with someone hacking into my .htaccess file and my only solution was to make the file unhackable. First, I cleaned up the .htaccess file and any PHP files of all hacks. Then I changed the file permissions to 444 (644 still allows access) on the .htaccess file. Then I used the shell access to my account to make the file "immutable", which means it cannot be changed!

When you have shell access to your account on your Linux server, enter the following: # chattr +i .htaccess

Now, even those with root access cannot change the file!

It you need to undo this, enter: # chattr -i .htaccess

If you do not have shell access to your account, ask your web host about entering this for you to make the file immutable.

For non-Linux accounts, just enter "making file immutable" into Google or Bing for your type of web server. This should give you the information you need.

.htaccess being hacked repeatedly

5 Answers5

Linked