cancel
Showing results for 
Search instead for 
Did you mean: 

The .htaccess File on my Root was Compromised

This week I received a few emails and phone calls from some clients saying that when performing a Google search (or another search engine) that they were being redirected to pornography sites. After some research I determined that it was due to the hacker adding a RewriteCond to my .htaccess file that checked for the HTTP_REFERRER and sent them to these explicit sites. This culminated in repetitional impact and general distress from clients and their customers.

 

I'm not asking for any type of retribution, but would like to know HOW a hacker was able to gain access to that file, let alone gain write access. I have strong passwords that I change frequently and don't have any backdoors that would allow access to the root in my code.

 

I assume this has happened to others. Is this an attack that impacts multiple parties (such as all of those on a virtual host) or is it more targeted to a partition?

 

Please let me know if anyone else has encountered this same problem and how, as a community, we can prevent this from happening.

10 REPLIES 10
Advocate I

Re: The .htaccess File on my Root was Compromised

If you are using Wordpress, it most likely got in due to a vulnerability to an outdated theme/plugin. 

 

Generally speaking, viruses won't even jump to a different website folder in the same hosting plan, let alone jump to a different hosting plan on the same server entirely.

New

Re: The .htaccess File on my Root was Compromised

Me too. It was part of this incursion: 

http://kennycason.com/posts/2016-04-04-wordpress-hack-fix-google-redirects-to-spam.html

You will likely find a file with a name like something-somethingelse.php (not literally) in your docroot, which will be a unique file name on the www. That will contain the obfuscated (poorly) code, but will not explain how the file got there, or how they're editing the .htaccess file.

 

I removed these lines from .htaccess:

RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^([^/]*)/$ something-somethingelse.php?$1 [L]

 

I would really like to know how they gained access. I'm guessing XSS attack plus really lousy server security.

New

Re: The .htaccess File on my Root was Compromised

Note that I am not implying this is a WP-only vulnerability. We are not running WP on the site in question, and several other people who have this issue do not. However, please let me know if your site was a WP site, since if it wasn't, and you practice good password protocols, I would more fully suspect the issue lies with GD.

New

Re: The .htaccess File on my Root was Compromised

Looking at this with fresh eyes today, i notice that the permissions on the compromised files are the same as the permissions of files edited through the on-line file browser, and different than files I pass via FTP. You might want to test write a file from a script and see what the perms are. If the file-browser perms are unique, we're probably looking at a dictionary attack on the GD login, which is the kind of thing even a half-assed host should catch.

Re: The .htaccess File on my Root was Compromised

Interesting.  I just got an email from GoDaddy, as I had some 'malware' files on my website.  After looking into it, I found the .htaccess file had the 'rewriterule' in it.  I too would like to know how this is being changed.  I am the only one that has access to the site and I did not make any changes to file around that date.  

I had this same issue about 6 months ago and decided it was due to poor passwords on FTP accounts.  I changed all passwords and got rid of all the ftp users except for one.   

 

I do not use wordpress.  I just use PHP files.  I do not have any allowed input into my website, it is just for information only.  So again how are they changing this file. 

Re: The .htaccess File on my Root was Compromised

So after talking with godaddy support, they have said that my FTP password must have been compromised.  HOwever, I have changed it several times and somehow people are still accessing the files in my site.  I was using the web based file manager to review files, but could not find anything.  I then used a FTP client and discovered a folder called STATS that does not appear in my web based file manager.  The folders owner is not my FTP Admin user, but is set to 0.  Within the file are additional files and one is a .htaccess file along with what appears to be a password file.  All of these files has the owner set to 0.  So I cannot edit or delete any of these files.  How does this happen?  

 

 

Helper V Helper V
Helper V

Re: The .htaccess File on my Root was Compromised

Hi all,

As far as I know, logging in via ftp is not encripted like sftp.

Anyway, try checking if someone had made new ftp or sftp accounts in your server.
~Jan Mykhail Hasselbring Web Administrator @ wwwR.us
Email:support@wwwr.us Phone:4435-WWW R US or (443) 599-9787

Smiley Very Happy

LOL
New

Re: The .htaccess File on my Root was Compromised

Nope. That's not it, as you could quickly verify by looking at the permissions on the hacked files compared to those passed via FTP (assuming you aren't using your primary GD account login for FTP, which would be a bad idea, as those credentials would be passed in an easily snoopable format). The /stats directory would be used to display stats for your site, and the owner 0 is root (these are not files you are intended to view or edit directly). Download the index.html file in that directory for instructions on enabling those stats.

 

GoDaddy is either lying or incompetent. The question is HOW are people getting your GoDaddy login credentials (your GD login password is the thing you need to change, not FTP). It's not (solely) because of those credentials being passed via FTP -- I don't use the master account for FTP. So it's likely a dictionary attack, and an ISP that sucked less would notice millions of unsuccessful login attempts on the same account.

New

Re: The .htaccess File on my Root was Compromised

That last message was intended as a reply to mafitz2380. I assumed it would be threaded as such, but was not.

Helper I

Re: The .htaccess File on my Root was Compromised

I've had the same problem as mentioned in this stream.  Received and email today from Godaddy saying I have 'Malware' on my site and they deleted a couple of php files.  I had previously changed the name of those two files, embedding the word 'HACK' in the name.  My htaccess file had also been tampered with.  I called the phone number in the email and talked to a pretty knowledgeable person.  They told me I should/could move to a different plan that has a newer version of PHP and also purchase their SiteLock product ($84 per year). Basically the product runs folder scans looking for 'Malware' and file activity and will remove and/or report what it finds.  I thought this was something a good host would already be doing. I guess they turned a weakness into a way to make more money.