Recreating my htaccess file after being hacked

TaddPeake · 2012-01-08 18:47:40 UTC

I’m recovering from having my site hacked by:

creating a new user (call him MrClean)
uploading my local backup site files to a directory on MrClean named MySite.com
then directed my domain to the MrClean/MySite.com directory (control panel > manage domains > edit).

So far, so good.

I did not have a backup of the .htaccess file before the hack. The hacker added code to it, and I don’t know what I can/should remove besides a line that required a file that contained part of the hack.

Below is the hacked htaccess code. I did not write/add any of this. I did add a line enabling .html SSI using info from the DH wiki: http://wiki.dreamhost.com/Htaccess_file_overview#How_can_I_use_ssi_on_files_with_.html_extensions.3F

The lines about stats.php is definitely part of the hack.

Auto-generated .htaccess file start

RewriteEngine On
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{HTTP:Expect} ^$
RewriteCond %{REQUEST_FILENAME} !.(jpg|jpeg|gif|png|css|js|txt|xml|swf|ico|pdf|txt)$
RewriteCond %{REQUEST_FILENAME} !stats.php
RewriteRule ^(.*) /stats.php [L,NS]

Auto-generated .htaccess file end

Put your content after this line

Questions:

Do I need any of that above?
Is there a default .htaccess site file for basic site security? If so, what does it contain?
What permissions should the .htaccess file have?
I have a mirrored site and a secure certificate, if that matters for the htaccess file(s).
I’m using Transmit for FTP. It allows me to edit a blank htaccess file and set perms. Is that adequate, or to I need to telnet to write the file?

Too much, too little information? Thanks for your help. [hr]
I have read the Wiki about HTACCESS, have googled, and have searched the forum. I need real step-by-step help.

Thanks, again.

bobocat · 2012-01-09 01:36:14 UTC

The stats line may not be part of the hack if you are running your own analytics program… Otherwise, it looks fine. Is the stats.php file full of links to spam sites or something?

TaddPeake · 2012-01-09 01:46:41 UTC

Thanks for answering.

I was not running my own analytics program.

The stats.php file was just three lines. It started with "<? $esc_exb_url = " and was followed with about 200 characters that look similar to the code created with .htpasswd files.

The thing is, it broke my site if I removed or renamed the stats.php file, which makes sense after looking at the htaccess file.

bobocat · 2012-01-09 01:51:48 UTC

ah, then yes, cut out that whole block. it redirects every request, other than the extensions in the middle line, to your stats.php file. The modification date on that file and your .htaccess file might help you identify the attack in the logs if you want to investigate.

TaddPeake · 2012-01-09 02:17:13 UTC

By whole block, do you mean these two lines:

RewriteCond %{REQUEST_FILENAME} !stats.php
RewriteRule ^(.*) /stats.php [L,NS]

Or do you mean the whole thing I posted above?

Thanks, again, bobcat. [hr]
One more question: is there any chance that they could insert executable code in JPEG or HTML files?

bobocat · 2012-01-09 04:04:39 UTC

You don’t need any code from that block.
Yes it’s possible to insert JavaScript in HTML files.
I can’t remember if JPEG is safe or not. There are some formats which can technically be injected with Java applets. Check the modification dates and get rid of anything that seems suspicious.

TaddPeake · 2012-01-09 04:26:32 UTC

I’ll be very careful. I have local backups of almost everything.

Thank you, bobocat. Have a great night.

Andrew_F · 2012-01-09 07:14:09 UTC

The whole section with the reference to stats.php, from “Auto-generated .htaccess file start” to the matching “end”, is part of the hack. Remove it all.