cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

htaccess altered but not by us

Yesterday we noticed our site was down with an Internal Server Error - 500 page showing. I took a quick look through the files in the root and noticed htaccess was a substantially different file size. Downloading the file from the server and comparing against the original I see several lines of code had been removed. I have no idea why. No new lines were added that I could tell. 

 

I uploaded the original htaccess file and the site was up. Then the same thing happened again today. I repeated the upload and we're up again. But this is rather disturbing. Leads me to think we've been hacked.

 

Suggestions?

3 REPLIES 3
Highlighted
Helper I

.htaccess file

Is anyone having problems with someone inserting commands in their .htaccess file?  Someone adds the following 2 lines:

 

RewriteEngine on
RewriteRule ^2935483048/(.*)$ chocolates-epicure.php [QSA,L]

 

Then adds the file chocolates-epicture.php to the main folder.

 

Help

Re: .htaccess file

I manage about 80 websites hosted by GoDaddy which I have designed. By now I'd estimate that I have discovered over 10 which have experienced this 'hack' where rewrite rules are added to the .htaccess file and other malicious files are added to the website. Here's what I do when I discover this:

1. Change GoDaddy account and ftp passwords. (See below this probably isn't necessary but makes me feel better).

2. Clean up the .htaccess file or remove if it has no purpose in your website.

3. Search for and remove all files that do not belong, expect them to have a php extension. This can be very time consuming if the site is large and be aware that the files are cleverly named to avoid detection. For example a folder 'images' may have 100s of jpg files and one php file with a similar name to one of the image files but with a php extension containing a malicious script. Check every php file to make sure it is one that belongs.

Over a year ago I took this up with GoDaddy support. I found them very unhelpful on this subject, they responded as follows:

a) The hack was most likely allowed by a security issue with the website design

b) They offered a security package at a fee which they said would prevent this from happening in the future.

Since that time it has become 100% clear that this is not an individual website design security flaw but is an issue with GoDaddy web servers which have allowed files to be inserted in customers' website areas and .htaccess files to be modified or replaced. I know this because it happened to an extremely simple website of ours, one html page with text and one image, a small css file. Security of the website design could not possibly be an issue here and the account and ftp passwords were unique and complex as with all our websites. 

This hack (or a version of it) is well known and you can find details by searching the web. In some cases, because of what it does, Google can detect it and will mark your site as hacked on search results and notify you via google Webmaster Tools. The security flaw may well not be limited to GoDaddy servers but I would like to hear from GoDaddy that they acknowledge the fact that their servers are not secure from this hack and that they are pursuing a solution with appropriate effort.

I would consider switching to a different host but we are in the process of retiring our company and finding ongoing support solutions for our customers.

Re: .htaccess file

I had an .auto_htaccess file added to my website yesterday.  It is interesting that you say perhaps it was GoDaddy - not sure of course, but this file was immediately put in my quarantine area.   I have a very several complex .htaccess files in different directories to prevent hacks - and if anyone tries to re-write any of my files they go to quarantine.     The htaccess files will not allow any upload except picture extensions and that is only allowed to my upload directory - and files that reside in that area cannot copy - create or replicate in any other directory without a quarantine.   Reviewing the file that was uploaded - it  was a complete rewrite pointing my website to a office website using my website name.  I did change my FTP password for security but still wonder how that file got into my root directory since nothing is allowed to be written there - and the website design worked as expected by quarantining the file.  Like you I suspect that someone from the host could have added that file, but that would be quite illegal.   I use Bullet Proof Security on all of my sites because it just works.  In this case it did what it was supposed to do - and based on what I read about your site you would have been protected from this attack.  I am positive that GoDaddy wants to sell you stuff - I am hit up all of the time to buy this or that.  That is how they make money.  I wouldn't expect them to be the ones to do something like that.  I am still quite perplexed how someone was able to upload a file to my root directory when that access is blocked.  The good news for me, even if that was true - the file goes to quarantine with BPS and has to be manually released.   A good security program with good backups off site have always worked for me.