.htaccess file hacked, how to prevent this in future?

Question

The hacker added a code in .htaccess file to redirect all search engine traffic to a malware website. I am now investigating this incident and trying to find out security loop holes. My situation is almost similar to this person's - .htaccess being hacked repeatedly

Here's a sample of intrustion attempt from FTP logs -

    Aug  6 02:43:31 sg2nlftpg002 [30887]: (?@91.220.0.19) [INFO] FTPUSER is now logged in
    Aug  6 09:43:33 sg2nlftpg002 [30887]: (FTPUSER@91.220.0.19) [NOTICE] /home/content/81/7838581/html//.htaccess downloaded  (846 bytes, 106.37KB/sec)
    Aug  6 09:43:35 sg2nlftpg002 [30887]: (FTPUSER@91.220.0.19) [NOTICE] /home/content/81/7838581/html//.htaccess uploaded  (1435 bytes, 3.32KB/sec)
    Aug  6 09:43:35 sg2nlftpg002 [30887]: (FTPUSER@91.220.0.19) [INFO] Logout.

This is significantly different from my regular login attemps -

    Aug  7 10:57:53 sg2nlftpg002 [11713]: session opened for local user FTPUSER from [my.ip.address]
    Aug  7 10:58:28 sg2nlftpg002 [11713]: [FTPUSER] close "/home/content/81/7838581/html/.htaccess" bytes read 1435 written 0
    Aug  7 11:14:29 sg2nlftpg002 [11713]: [FTPUSER] close "/home/content/81/7838581/html/.htaccess" bytes read 0 written 846
    Aug  7 11:14:55 sg2nlftpg002 [11713]: [FTPUSER] close "/home/content/81/7838581/html/.htaccess" bytes read 846 written 0
    Aug  7 12:08:03 sg2nlftpg002 [11713]: session closed for local user FTPUSER from [my.ip.address]

I have gone through HTTP traffic logs but couldn't find anything suspicious over there.

Other information that might be useful:

• I am on a shared host and the website runs on WordPress, BuddyPress and other popular plugins.
• To my knowledge all software under my control uses latest versions and is updated regularly.
• I use strong passwords and update them regularly. Only access website with SFTP and SSH using PUTTY.
• My local machine is free from viruses.

My question is how to prevent such attacks in future?

UPDATE

• Please see report from Google - http://www.google.com/safebrowsing/diagnostic?site=ask-oracle.com
• Another report related to network I am hosted on - http://www.google.com/safebrowsing/diagnostic?site=AS:26496

Answer 1

If they logged in over FTP, then your user account password is compromised and they're just FTPing up the modified file. Audit everywhere that's using your account password for password-collecting malware, then change the password to something secure. Also consider using a passwordless method of authentication (such as SSH public keys), but if your development machine is chock full of malware, it can just steal the key instead.

Answer 2

As already mentioned the chances are that your FTP details have been compromised (normally from an infected Windows desktop PC somewhere I've found).

I've tested this in the past by purposely logging in with the wrong password from a suspected PC, only to see someone else try and login with the same wrong password 15 minutes later from a foreign IP address. Obviously the infected PC was sniffing the password and transmitting it back to the mother ship.

The most pratical thing to do is restrict where people can login to FTP from on your firewall. Password complexity or encryption will probably do you no good in this case, as the password is being stolen at source, and not being guessed or intercepted down the line.

In iptables something like this would work:

iptables -I INPUT -p tcp --dport 21 -s ! X.X.X.X -j DROP

(where X.X.X.X is the IP of your office/home where you connect from).

Answer 3

Are you for FTP access using Total Commander? My friend had a virus that has collected all passwords from TC.

Answer 4

I had a serious problem with someone hacking into my .htaccess file and my only solution was to make the file unhackable. First, I cleaned up the .htaccess file and any PHP files of all hacks. Then I changed the file permissions to 444 (644 still allows access) on the .htaccess file. Then I used the shell access to my account to make the file "immutable", which means it cannot be changed!

When you have shell access to your account on your Linux server, enter the following: # chattr +i .htaccess

Now, even those with root access cannot change the file!

It you need to undo this, enter: # chattr -i .htaccess

If you do not have shell access to your account, ask your web host about entering this for you to make the file immutable.