Sorry for the necrobump, but its on topic.
Hey everyone. My site got hacked on Dec 17th. I just noticed, because it used referrer code and I have the site bookmarked, so I never saw the Online Pharmacy that had taken over my site. This was added to my htaccess on Dec 17
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
#RewriteRule ^(.*)$ centimeter-disproved.php?$1 [L]
RewriteEngine On
Godaddy was useless. Blamed my hosting package, and said it was because my package was too old, you signed up in 2007.... I have been migrated several times over the years. I asked if the current $7.99 package was "secure". Yes yes much better, very secure. Ok I just renewed in August, switch me. We would have to credit you the difference, and do a new signup. He also suggested the SSL package. He couldnt find anything in the logs, I wanted to see if one of my ftp users was hacked. He said they only had 30 days of logs on the old servers.
I was able to find this entry on the access logs on Dec 17. Same time stamp as the bad files.
15?.???.???.??? - - [17/Dec/2018:13:10:58 -0700] "POST mackweather.com/~username/simmqjfo.php HTTP/1.1" 200 365 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36" 0 "x-httpd-php" "/var/chroot/home/content/40/5001440/html/simmqjfo.php" 303804 5001440
15?.???.???.??? - - [17/Dec/2018:13:10:58 -0700] "POST mackweather.com/~username/simmqjfo.php HTTP/1.1" 200 452 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36" 0 "x-httpd-php" "/var/chroot/home/content/40/5001440/html/simmqjfo.php" 291408 5001440
15?.???.???.??? - - [17/Dec/2018:13:10:59 -0700] "POST mackweather.com/~username/simmqjfo.php??centimeter-disproved.php HTTP/1.1" 200 207 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" 0 "redirect-handler" "/var/chroot/home/content/40/5001440/html/centimeter-disproved.php" 293514 5001440
That is how the bad redirect code got added. The other bad file simmqifo.php was added in November, so I didnt have the logs for that day.
I found a ton of php files in a folder I created for a TP camera ftp upload, and the daily subfolders. Maybe that was the source for the hack, I killed that camera, and deleted the folders. No other strange php on the site was found.
Hope everyone is good. I only seem to get on here when I have troubles. Kids and work keep me busy these days.
Andrew
edit: redacted hacker's IP