A website I maintain pro-bono was hacked, dishing out 302s to gaming sites, etc. www.rebekahshouse.org. After much searching through my hosting company's control panel, I found the culprit in the htaccess file.
It looked something like this:
RewriteEngine on
RewriteCond %{HTTP_REFERER} .oogle.com [NC,OR]
RewriteCond %{HTTP_REFERER} .ahoo.com [NC,OR]
RewriteRule .*hxxp://87.248.180.89/topic.html?s=s- [C,L]
(I think that was C, L; I overwrote it and tried to recreate it above, might've missed a piece here and there)
Anyway, I overwrote it with this:
order allow,deny
deny from all
Is this going to anything for me? What SHOULD I have in my .htaccess file? This is purely a static html site.
Thanks!
If you're running a static site its highly likely you don't need anything in your .htaccess.
You should then workout how your site actually got hacked...as if you haven't resolved that it's just going to happen again.
Your real concern should be how it happened in the first place. Defacers and such often go back and will try the same thing again on a previously cracked site, since many times the vulnerability isn't fixed.
The htaccess file is incidental. You have been hacked by one of the Russian malware gangs. If you don't close the hole that allowed the hack to happen, you will just get hacked again.
It is entirely possible that the server itself is compromised and there is more stuff on it you don't know about, such as trojan software that might not only deface your sites, but also launch attacks on others, send spam, and so on. Assuming appropriate permissions on the directory containing the htaccess file, it should not have been possible to write a file there even if you have an insecure web application on there. Certainly if you are only dealing with static files the only way such a file could have got there is by your uploading account, or the server itself being compromised.
If it's your server, as I'm guessing from the fact it responds to a direct query by IP address, you need to flatten it and reinstall from up-to-date software, use new passwords, and check your own client machines you're uploading from for infections.
(As per #YGomez's comment: first and foremost, you need to close the vulnerability which allowed the creation of that .htaccess file, else the malware will come back almost instantly; I probably should have mentioned that explicitly)
The first part will redirect all visitors coming in from yahoo and google to 87.248.180.89
The second part ("allow, deny") will deny access to your site for everybody.
I suggest to simply delete the .htaccess and be done with it - if you use a .htaccess file, you would know what goes in there, else you don't need it.
No, that won't do anything for you. For a static site you may not need a .htaccess file at all.
Step 1 : change FTP password
Step 2 : Download all files and clean
Step 3 : upload Files
Step 4 : Set 444 permission to all files, except Custom Upload folders
Remeber Do not save FTP password in your FTP client.
If you suspects that your system is infected, Format and install OS, then install a good antivirus + firewall. I suggest Avast free edition and Comodo Firewall.
We have received many inquiries and we cleaned those infected sites.
Related
Quite of a newbie question here but recently our Web Developer left our (small) company and has left us in a bind.
We recently (2 days ago) redirected our site to a newer and mobile friendly model and was working well for quite some time. For whatever reasons management deemed they needed to roll back the site to its original model and the site is breaking whenever you type in http://www.example.com. However, https:// works perfectly fine, and it seems like it has something to do with the htaccess file -- but being just the project manager, coding comes second in terms of skill.
If it helps our site is www.mauriprosailing.com -- currently still trying to figure out why the "www" and "http" is breaking the site.
If needed I can post a .txt of our htaccess if that helps.
I appreciate all the help and apologize if this was too broad of a question!
Solution: Granted this may not apply to everyone -- but the problem was not within the htaccess file but with caching of the server. The server was not pulling the right the .css file therefore causing an "explosion" of our site and I found that purging all of cached files did the trick.
I have a website which is infected by some malicious malware. In the beginning I could notice that there was some strange javascript code on the site pages so I delete it and everything was fine for a few days, but now google lists the website as dangerous even though that I have checked the site code for any strange code but I could not find anything.
I have try Sucuri SiteCheck and it detects redirections to a malicious site. At first I thought that it may be an .htaccess file that was doing the redirection but I checked the files on the shared server and there is no .htaccess file.
Any ideas on how to solve this?
Your hosting account has bee hacked. Change your password on your hosting service. Go through your site code once more (every file) and look for things that don't belong. Clear your browser cache and then try again. If your account is hacked again, find a new hosting service. Once you're sure that your site is clean and your account has been secured, let Google know about the problems and request a removal from their suspect list:
Google support
check your .htaccess file for the redirection or the whether the files contain and unwanted malicious java script.
Right I'll try and explain my situation as thoroughly as possible while also keeping it brief...
I'm just starting out as a web designer/developer, so I bought the unlimited hosting package with 123-reg. I set up a couple of websites, my main domain being designedbyross.co.uk. I have learnt how to map other domains to a folder within this directory. At the minute, one of my domains, scene63.com is mapped to designedbyross.co.uk/blog63 which is working fine for the home page. However when clicking on another link on scene63.com for example page 2, the URL changes to designedbyross.co.uk/blog63/page2...
I have been advised from someone at 123-reg that I need to write a .htaccess file and use the RewriteBase directive (whatever that is?!) I have looked on a few websites to try and help me understand this, including http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html however it all isn't making much sense at the moment.
Finally, scene63.com is a wordpress site, whether that makes any difference to how the htaccess file is structured I'm not sure...
Any help will be REALLY appreciated - Thanks.
I run my personal public website on Webfusion, which is another branded service offering by the same company on the same infrastructure, and my blog contains a bunch of articles (tagged Webfusion) on how to do this. You really need to do some reading and research -- the Apache docs, articles and HowTos like mine -- to help you get started and then come back with specific Qs, plus the supporting info that we need to answer them.
It sounds like you are using a 123 redirector service, or equivalent for scene63.com which hides the redirection in an iframe. The issue here is that if the links on your site use site-relative links then because the URI has been redirected to http://designedbyross.co.uk/blog6/... then any new pages will be homed in designedbyross.co.uk. (I had the same problem with my wife's business site which mapped the same way to one of my subdirectories).
What you need to do is to configure the blog so that its site base is http://scene63.com/ and to force explicit site-based links so that any hrefs in the pages are of the form http://scene63.com/page2, etc. How you do this depends on the blog engine, but most support this as an option.
It turned out to be a 123-reg problem at the time not correctly applying changes to the DNS.
Today, I was interviewed for the post of webserver admin, and the interviewer asked one question that I never heard before..ever:
using .htaccess file how to down a live website?
Any one know the answer?
If you control the website, just put this in the .htaccess file in the root web directory:
deny from all
If you don't control the website, there is no way to do this unless there is a security vulnerability in the website unrelated to .htaccess.
Now I didn't do the website design but a couple of months ago I ported an existing website over to wordpress for a client of mine.
I got a call from a client today regarding their website, and some sort of a security problem.
The websites homepage loads up fine, but if you try to navigate to any other page it brings you to - http://secure.wheelerairservice.com/main.php.
The nav appears to still be linking to the appropriate page (when you rollover contact us, the link displays in the status bar as /contact-us) but it redirects to the above url.
Just wondering if anyone knows what the problem is, and who or what might have done this and how.
Any suggestions on how I could fix this?
thanks!
Ok I've looking into the problem some more and found that the .htaccess file had been replaced somehow. I'm just wondering how someone might have done this? via ftp access, wordpess admin account or some hole in wordpress, any thoughts?
Typically when it's the .htaccess files that have been infected, it's usually the result of stolen (compromised) FTP credentials.
This usually happens by a virus on a PC that has FTP access to the infected website. The virus works in a variety of ways, but usually one of two.
First, the virus knows where the free FTP programs stores it's saved login credentials. For instance with FileZilla on a Windows XP PC, look in:
C:\Documents and Settings(current user)\Application Data\FileZilla\sitemanager.xml
in there you'll find, in plain text, all the websites, usernames and passwords that user has used FileZilla to access via FTP.
The virus finds these files, reads the information and sends it to a server which then uses them to login to the website(s) with valid credentials, downloads specific files, in this case the .htacces files, infects them and then uploads back to the website. Often times we've see where the server will also copy backdoors (shell scripts) to the website as well. This gives the hacker remote access to the website even after the FTP passwords have been changed.
Second, the virus works by sniffing the outgoing FTP traffic. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to see and steal the login information that way as well.
Change all FTP passwords immediately
Remove the the infection from the .htaccess files
Perform a full virus scan on all PCs used to FTP files to the infected website
If the website has been listed as suspicious by Google, request a review from Google's webmaster tools.
If the hosting provider supports it, switch to SFTP which encrypts the traffic making it more difficult to sniff.
Also, look at all files for anything that doesn't belong there. It's difficult to find backdoors, because there's so many different ones. You can't go by the datetime stamp either because these backdoors modify the datetime stamp of files. We've seen infected files with the exact same datetime as other files in the same folder. Sometimes the hackers will set the datetime stamp to some random earlier date.
You can search files for the following strings:
base64_decode
exec
fopen
fsock
passthru (for .php files)
socket
These are somewhat common strings in backdoors.
Change your passwords. See Hardening WordPress and FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation
If FTP has been used to access/modify the files in this wordpress site, then it could be more than possible that someone has got the username and password for FTP access and modified your .htaccess file. FTP is not secure at all. I would suggest using SFTP as a minimum.
Wordpress is not perfect (not many things are) but i highly doubt there would be a flaw like this, is possible but i very much doubt it.
I suggest you first, change your FTP username/password, upgrade wordpress to the latest version, change the default admin username to something else and change the password for the administrator user, ensuring that all passwords are at least 8-10 characters in length
We also getting same problem for word press website, once virus removed but it re-attacking again, So as said above first have to backup all files, then change passwords of FTP, Administrator and cPanel, then upload back the website. I did above steps for our website.