Common.php/.htaccess hack


#1

I have a site hosted on Dreamhost and it is being repeatedly exploited. The attacker replaces the .htaccess file that redirects anyone who arrives with a search engine referrer to a file named common.php (which they upload) that sends them to scam pharmaceutical sites.

I am not running WordPress, nor do I have any other third party applications running. I’ve gone through all the incoming requests for the sites and it doesn’t look like someone is exploiting one of the files on the site. I’ve also tried scanning wtmp to see if someone else is logging in as my user, but haven’t seen anything.

Anyone else seen something similar? I’m not sure what to do next.


#2

I’m running Joomla and have been trying to track down where the .htaccess file is being rewritten from. I barely get the file deleted and it’s being rewitten with a redirect.
Anyone else having this problem.


#3

There are a number of threads on this forum about this very topic.
Most notably: https://discussion.dreamhost.com/thread-134262.html
There’s some advice and links to wiki pages in there.