You need to get to the root cause of this. If they can modify the .htaccess, assume they can modify everything on your server and you will have to review all the files, perhaps compare the application ones with a good backup see what changed etc.

It's very useful to monitor your server logs. Search for abnormal requests they're pretty obvious and see how the server responded. If you start seeing 200s check the file they tried to access.

And while reviewing the files (presumably you already changed passwords) lock down the site from your host's cpanel. It won't be any good to do mods if they keep hacking in.

was more likely due to security at the server

how do you know this? Is your domain accessible by doing a direct raw ip request?

Thank you for your reply.
As I said, i assume that the problem was more likely due to security at the server. I don't know this.

I have already changed passwords for ftp and the hosts cpanel but I dont understand what you mean by "lock down the site from your host's cpanel"

found visitor numbers way down on my main site.

This is the problematic site right? So while you are checking or modifying the files to figure out if there are scripts infected you lock down the site. From the host's control panel you can protect any folder you want with a user/password. So you apply it to the main's site folder. Once you complete the mods you unlock it. Look for something that reads password protect directories if you haven't used it before which will be really strange but anyways it's the most effective mechanism to protect a folder.

If you have 100s of files to review it will take some time. So you don't want in the meantime to have them break in again. And if you have the site's management/admin on a separate folder (that's application specific) make sure you lock it down permanently.

You need to get to the root cause of this.

Heh . . . there's a hidden pun in there. :-) If they can mod your .htaccess, it may mean they have "rooted" the box.

Someone **has** to gain access to the server in some way to do this. There are a number of ways, two common ones are a dictionary attack on poor FTP passwords, or one of your users has contracted a trojan on their local machine, which leads to access to your server. It may even be you, scan any computers accessing this box thoroughly for viruses and malware.

While you're in the server, look at a couple index.php files, see if there's a base_64(eval(.... hack in them. Although Wordpress is largely the target of these, it will affect any index.php files - found a horrible mess on one modX install the other day on a Windows server.

Someone **has** to gain access to the server in some way to do this

Not always someone, just a badly written script may cause it. They can use the SEs to find the latest news about recent vulnerabilities in web apps. A botnet can then configured to try these on servers, given identification signatures and there you have it. Write access from a server script can alter any file including the .ht* and then they upload the payload. Root cause badly written code (many code snips in the php forum here offer a hint of the possibilities)

This doesn't mean you block write access to the server, because you need a functional application in the end, but surely monitoring the server logs will tell you what they try and then see if there is a potential threat. There is time to fix the problems if you're watching the logs.

And a side note: Although you may not visit a website because you see in the SEs listings "this site may harm your computer", for different reasons others will rush into because they know the site could be very well wide open and they also know in most cases problems are fixed on the surface.

If you're on shared hosting, you can't overlook one more painfully obvious possibility. The host doesn't need your password; they've got the Internet equivalent of a master key. So if they've also got the Internet equivalent of a new maintentance guy coming in and stealing your jewelry...

Definitely make sure it's only happening to you and not anyone else.

Before you re-uploaded a new htaccess, did you make a note of the timestamp on the old one? That gives you an idea when to check your logs-- assuming they're still available. By default they're not saved very long. I bumped mine from 3 days to 15 just to make sure I've got time to download them all, even if I miss a few days.

You can possibly purchase a dedicated IP address for your website from your host which will only be a couple of dollars per month rather than move to a full dedicated server for a few hundred dollars a month. That would further protect your site's IP address from email spammers and possibly hackers since you share the IP address with n other websites on shared hosting. To do this the host sometimes requires you to move the website on the server.