Topic: For Malicious Code in my htaccess

[CNYWeather]

I found malicious code in another site I built. My work website.
How could someone re-write the htaccess??

RewriteEngine onRewriteRule ^7391884522/(.*)$ forefather-beet.php [QSA,L]
RewriteEngine OnRewriteCond %{ENV:REDIRECT_STATUS}
200RewriteRule ^ - [L]RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing)
[OR]RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)RewriteRule ^(.*)$ bloodhound-gull.php?$1

This mess was in there along with the bloodhound-gull.php and a few others which I deleted.

Any way to prevent re-writing of the htaccess file? This is my work site I built. If it's not ok to post this, just let me know.

[saratogaWX]

If your site is on a shared hosting server, it's likely that the mods arrived via the filesystem from another website on the same host.  Since you're hosted on GoDaddy, I'd suggest your call their tech support and ask for their security team to do an audit of the site(s) on your webserver for malicious content.

[Aardvark]

When I put in one of Wim's Leuven templates I had to give some files permissions.   Can you go to that file and remove the write to permission?  I have selected a random file on my web site and went to change permissions.   all I have to do is uncheck what I want private.

[CNYWeather]

If your site is on a shared hosting server, it's likely that the mods arrived via the filesystem from another website on the same host.  Since you're hosted on GoDaddy, I'd suggest your call their tech support and ask for their security team to do an audit of the site(s) on your webserver for malicious content.

Thanks Ken. I will do that because i'm on a shared server.


EDIT:
I talked to GoDaddy this morning Ken. They tried to sell me their sitelock upgrade for $199 and didnt want to see the injected code or anything.

[CNYWeather]

This happened once again to my work website. I captured the code this time and I have no clue what it does.

What should my htaccess file permissions be set at? They injected code in there again.

GoDaddy wwill put a stop top this again if I pay them $199 a year for some site blocking garbage.

[gwwilk]

My GoDaddy site's .htaccess has also been hacked twice.  The best defense I've found is to check my site's .htaccess timestamp against my htaccess.txt timestamp in my development directory.  Currently they are identical.  I investigate when they diverge.

[CNYWeather]

Gotcha.

I only realized it the htaccess different because I saw some php files that got added to my directory when I was uploading
some new stuff with FileZilla today.

[mackbig]

Sorry for the necrobump, but its on topic.

Hey everyone.  My site got hacked on Dec 17th.  I just noticed, because it used referrer code and I have the site bookmarked, so I never saw the Online Pharmacy that had taken over my site.  This was added to my htaccess on Dec 17

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
#RewriteRule ^(.*)$ centimeter-disproved.php?$1 [L]
RewriteEngine On

Godaddy was useless.  Blamed my hosting package, and said it was because my package was too old, you signed up in 2007....  I have been migrated several times over the years.   I asked if the current $7.99 package was "secure".  Yes yes much better, very secure.  Ok I just renewed in August, switch me.   We would have to credit you the difference, and do a new signup.  He also suggested the SSL package.  He couldnt find anything in the logs, I wanted to see if one of my ftp users was hacked.  He said they only had 30 days of logs on the old servers. 

I was able to find this entry on the access logs on Dec 17. Same time stamp as the bad files.
15?.???.???.??? - - [17/Dec/2018:13:10:58 -0700] "POST mackweather.com/~username/simmqjfo.php HTTP/1.1" 200 365 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36" 0 "x-httpd-php" "/var/chroot/home/content/40/5001440/html/simmqjfo.php" 303804 5001440
15?.???.???.??? - - [17/Dec/2018:13:10:58 -0700] "POST mackweather.com/~username/simmqjfo.php HTTP/1.1" 200 452 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36" 0 "x-httpd-php" "/var/chroot/home/content/40/5001440/html/simmqjfo.php" 291408 5001440
15?.???.???.??? - - [17/Dec/2018:13:10:59 -0700] "POST mackweather.com/~username/simmqjfo.php??centimeter-disproved.php HTTP/1.1" 200 207 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" 0 "redirect-handler" "/var/chroot/home/content/40/5001440/html/centimeter-disproved.php" 293514 5001440

That is how the bad redirect code got added.  The other bad file simmqifo.php was added in November, so I didnt have the logs for that day.

I found a ton of php files in a folder I created for a TP camera ftp upload, and the daily subfolders. Maybe that was the source for the hack, I killed that camera, and deleted the folders.  No other strange php on the site was found.

Hope everyone is good. I only seem to get on here when I have troubles.  Kids and work keep me busy these days.

Andrew

edit: redacted hacker's IP

[PaulMy]

Hi Andrew,
Just like old times... SlowModem also has become quite active recently...

I know your feeling about GoDaddy but have too much time and effort put into things to consider a change

Enjoy,
Paul

[mackbig]

Hey Paul
I see I am still 10th in posts. After several years of one or two per year.  I wonder how close 11th is.

I guess you got some snow on the weekend... and we all got the -20 to -30 temps.

Andrew

[PaulMy]

With the dozen or more per day by some of the new folks you'd better get commenting or loose your spot

Enjoy,
Paul

[CNYWeather]

Hey Andrew! Been a long time!!

Yeah, GoDaddy is always trying to find a way to get you into a more expensive hosting package
that'll help prevent this. LOL Yeah right.

My htaccess wasn't changed this time. It did happen to my work site hosted on GoDaddy though.
I'm attributing the issues to some code somewhere hidden in Supercounters code that I was using.
I got rid of their code and it's been ok now.

[SlowModem]

Hi Andrew,
Just like old times... SlowModem also has become quite active recently...

[mackbig]

Hey Greg and Tony,

Funny how weather things come in clusters.  Started Saturday afternoon, mini snow storm, arctic cold snap and windy.  Some strange vibration noise in my house.  Turned off all noise sources,  and the only thing I can think of is that a bearing has gone in either my VP2 anny or old OS 968 anny, and the vibration is transferring through the mount, and trusses and into the walls of my second floor.   Luckily loudest in the hallway, so didnt affect anyone's sleep.  I wont be able to investigate for a while as aside from rain and ice storm today, not expected above freezing for near future, and roof has several inches of snow on it.

Then I discovered the hack a few hours later.  And I had my first ever low battery warning in 10 years a few weeks ago. ironically just a couple of weeks after changing the original cr123 in both the anny and ISS.  It was a proactive change, batteries arent supposed to last 10 years.  Hopefully it was a fluke, like solar panel connector not on tight, it would suck if a proactive maintenance messed up my super cap.

Andrew

[cospringswx]

Hey Andrew! Been a long time!!

Yeah, GoDaddy is always trying to find a way to get you into a more expensive hosting package
that'll help prevent this. LOL Yeah right.

My htaccess wasn't changed this time. It did happen to my work site hosted on GoDaddy though.
I'm attributing the issues to some code somewhere hidden in Supercounters code that I was using.
I got rid of their code and it's been ok now.

Hey Tony,

Thanks for the heads up about Supercounters. I just got rid of it also.