Welcome to WebmasterWorld Guest from 188.8.131.52
when this happens, my site gets redirected to this fake blog adsense site. I've changed my user name and passwords several times, yet this person 'hacker' keeps getting into my account and adding this htaccess file.
Godaddy can't help - they don't know how someone could be getting in. I've deleted the ht access file multiple times and they somehow keep getting it in there to redirect.
Any help would be greatly appreciated!
I found the following with each program. I did remove the .htaccess file from a separate machine this morning. We'll see what happens tomorrow morning.
TrendMicro Housecall (I run TrendMicro Internet Security as my Anti-virus/firewall/etc.)
found 1 adware - bestoffers
found 10 HTTP cookies
found 7 tracking cookies
found 2 entries, 1 registry value and 1 file of discontinued adware
If you use blog, forum, CMS, etc etc software (WordPress, for example), it *must* always be kept at the latest version or else your site is a sitting duck.
Note the timestamp of any file that was modified maliciously. Then search your access logs (FTP and HTTP) for who was accessing what at that moment. I think by default GoDaddy doesn't provide access logs, but they offer an add-on service that does, and it might be worth it. As an alternative, if you are somewhat proficient with PHP, you could probably create a header include file that would write the details of each access to your own private access log, to substitute for the server one.
RFI attacks are rampant these days. In your logs, they look similar to:
If your php.ini file does not block RFI, then, as index.php runs, it retrieves the safe.txt file from the remote site. safe.txt is usually written in PHP and contains commands that modify files on your server, such as overwriting your .htaccess file. It is able to do that because it runs as if it were an integral part of your index.php file. It is a way hackers get their own code to run on your server as if you wrote it.
There are several other possibilities how this is occurring, but RFI is the first to defend against. If that doesn't work, start looking at the less common ones.
[edited by: SteveWh at 7:54 pm (utc) on April 2, 2008]
they have probably left a script somewhere which recreates the .htaccess file whenever it's deleted.
there are loads of things which could trigger it. maybe they check it randomly every hundred visits, or maybe they've set it up so a visit to a specific URL on your site triggers the script, checks the file and rewrites it -- like dial_d just said above "In my case, they were executing shell command by adding strings to existing urls."
instead of looking for the .htaccess file, look for the script. the obvious place would be cgi-bin. but a better place to hide it would be outside of the root.
they've probably named it something innocent. and they might have hidden it. they might have started the filename with a dot, because that sometimes doesn't show up on FTP programs.
I've deleted the ht access file multiple times and they somehow keep getting it in there to redirect.
Any help would be greatly appreciated!
Well, there may be a lot of different reasons you should carefully analyze to finally chose one of the following:
(1) someone saw your FTP password written on the yellow post-it sticker on your flat screen - d'oh.
(2) your client side FTP password got sniffed by a keylogger on your client workstation and sent to a bad guy, after you caught a virus 3 months ago.
(3) your FTP password got intercepted when it traversed the net in the clear (FTP sends passwords and data unencrypted).
(4) your shared host is so badly configured that each user can easily read or write content of arbitrary other users.
(5) your shared host has some internal security problem that could be exploited by one user to get root privileges and alter content of other users.
(6) your shared host or your dedicated server has some externally exploitable security problem (e.g. a security hole in the admin panel or other system software, or caught a root kit) that invites attackers from all over the world into the server to play their games, perhaps even using automated scripts to achieve mass-defacements.
(7) you have put up insecure and expoitable scripts (PHP, perl, whatever) on your server on your own to achieve similar effects to those explained in (6).
(8) on a shared host, another user has put up insecure and exploitable scripts (like in (7)), and you are enjoying the fallout from this.
Some options are unlikely (like (3)), some are *very* likely (options (7) or (8)).
Think about all possibilities and take appropriate countermeasures, some effects are under your own control, and some effects may come from the fallout out of a shared hosting environment:
(1/2) : secure your local environment
(3) : use other protocols (rsync), if possible
(4/5/6/8) : move to another hoster, or, to avoid the risk of shared hosting, move to a dedicated server (and if you are on a dedicated server, ensure that it is administered properly and security patches get always applied in time).
(7) : exercise safe and secure computing: only put quality software onto your server, that you can trust and that has been developed with a strong eye on security aspects. Don't use own scripts unless you know what you are doing and have fully understood all security risks that may be imposed.
HTH and kind regards,
[edited by: Romeo at 1:11 pm (utc) on April 3, 2008]
Next, find your 'web root' directory, the one in which the .htaccess file resides, and change the permissions so that Apache cannot write to it at all.
In the mean time, read every line of script on your site yourself (and if you don't understand it, pay a professional to do so). 99% chance the problem is with a script on your site.