Did you note the timestamp on the 'bad' .htaccess file? If so you can correlate it with your ftp server logs -- and the host may be able to do the same if there are SSH and Telnet logs available.

This code will destroy your URLs, 302-redirecting requests for <anything>.<filetype> to example.com/filetype unless the referrer is one of those listed.

The code was either created by cPanel (or similar), or by someone who knows little about regular expressions and mod_rewrite. cPanel and others "write" non-optimized code like this...

Change all your passwords right away!

Jim

Changed! I didn't notice the exact time, but I found it this morning and the .htaccess file showed as last modified on the 22nd. The party who hosts it for me is having the hosting provider check for any security breaches.

Jim, can you fix the exampe.com typo above, some domainer has it for type-in typos with pop-ups.

If you can get the day/hour/minute/second timestamp of the file, you (or the host) can correlate that with all of the server access logs and get the IP address of whoever made the change. If logs for all users and protocols are present but no such entry exists, then it was an "inside job" by someone with physical access to the server.

Jim

How do I get the timestamp for the file? I've never had to do that.

Well, it may be too late, but it's generally visible in the FTP view of the file's directory. Even of you over-wrote that file, it will be 'backed-up' on any *nix server to at least one old version -- probably named "#.htaccess", and this file should be visible if you log in to the server shell (using Telnet or SSH). Don't overwrite that backup by uploading another .htaccess file until after your host checks it (if they're willing/able).

The right response to a hack is to secure the server and then stop changing things until the breach is investigated. Before replacing any files, rename them so that their original timestamps and contents can be examined. Otherwise, their forensic value is destroyed and all you can do is fix 'well-known' security problems and hope you don't get hacked again... :(

Jim

I save previous versions of everything to the point of file clutter, what I did was change the filename/extension on that first and then uploaded the correct file as .htaccess - so it's still there. Visible by FTP with the date, hour and minutes server time, but not seconds.

Thanks, I'll pass the info on including the filename.

Excellent!

Pack-ratting pays perpetually. :)

Jim

Surely this code is just your Hotlinking Blocker?

I assume that the "allowed" sites listed are your own (and Google).

It has no provision to serve content if the referrer is blank or missing, so you will get blocked if you try to directly access an image etc.

It blocks anything that ends in .something. I assume that it should have only been set to block images, and so on.

This part is odd: RewriteRule .*\.(.*)$ http://www.example.com/$1 [R,NC] as it simply redirects domain.com/whatever.something to www.domain.com/something.

I would recommend a re-read of the thread. From the top...

This code was added by someone not the Webmaster.

Jim

The code is very similar to that which gets added when you click the "Hotlink Protection" option in cPanel.

Could a server/host configuration problem have meant that another customer on shared hosting somehow modified it?

I'll check to make sure. I'll see if this can be reproduced on another site that's just "sitting out there" and check to see if Cpanel overwrites or modifies what's already in htaccess. It should just append and not modify anything already there, and if it does, it's a pretty nasty flaw for people who have a lot in htacces, who would have to then re-do the whole thing.

That would require that someone hacked cPanel, modified the anti-hotlink code template, and then used it to add 'broken' hotlink protection to Marcia's site; Either way, there's evidence of unauthorized tampering.

cPanel typically writes 'bad code' -- but it's only bad in the sense that it is un-optimized and has a 'hole' in it -- It can be by-passed by adding a valid port number to the hostname request header. In this case, the code is not only "bad," but badly-broken.

Jim