HACK ATTACK - users redirected


#1

This is a report on a specific type of attack and what files were affected.

Someone recently injected code into my sites redirecting users to:

http://sweepstakesandcontestsinfo.com/nl.php?nnn=555

They did this in three ways: s added to html files and php files, by adding php files - some in image directories, and MOST IMPORTANTLY, by adding code to the .htaccess file(s).

This method of attack has been reported on by Sucuri:

.htaccess files are “hidden”, so if not operating from a shell (ls -a) you might need to adjust the settings
in your FTP client. Some info here: http://wiki.dreamhost.com/Htaccess#Finding_.htaccess_Files

I don’t know how they got in. Figuring that out is my next step and if anyone has info or suggestions they would be most appreciated.

Thanks and hopefully you haven’t been hacked!
Colin


#2

If you are using a FTP program, be sure to ONLY use SFTP. You can change the settings in the panel under user.


#3

See this thread for more details: http://discussion.dreamhost.com/thread-132209.html