.htaccess deleting it self

[daydie]

whats going on with my forums my .htaccess is deleting it self.

Some1 hacked my FTP and changed my forum directory to /TriiX, I Noticed, change FTP password and fixed, now i put .htaccess, 20min later its gone from my FTP.

How is this possible? please help i think its deleting it self.

[HMBeaty]

Have you changed all of your passwords? Server? FTP? etc?

[daydie]

just changed Godaddy account pass, so that and FTP are now "safe" im not sure how they gained access in first place.

hopefully it wont delete now >.< (Also changed forum admin password)

Is it common for only .htaccess to delete it self?

[HMBeaty]

Quote:

Originally Posted by daydie

just changed Godaddy account pass, so that and FTP are now "safe" im not sure how they gained access in first place.

hopefully it wont delete now >.< (Also changed forum admin password)

Is it common for only .htaccess to delete it self?

No.

[nhawk]

It looks like you'll need to upload the original index.php file for vBulletin again. And make sure there is no other index file in the main site folder.

The one that's there could very well be deleting the file.

[Lynne]

Are you sure you don't have your ftp client set to not show invisible files? If you can't see invisible files, you won't be able to see your .htaccess file. Also, does godaddy allow you to have .htaccess files?

[daydie]

yeah, my site been working fine now. must of been some1 accessing my godaddy account on the web. thanks anyways guys aprichate it

--------------- Added [DATE]1313046735[/DATE] at [TIME]1313046735[/TIME] ---------------

Just saw my index file and it has this:

<html>

<head>

<!--

Well done for being able to read the source code.



MSN - root@unloyal.co.uk

Email - im@purv.org



~~ TriiX

-->

<style type="text/css">

body {

background-image: url(http://www.purv.org/deface.jpeg);

color: white;

}



h1 {

color: red;

}

</style>

<SCRIPT LANGUAGE="JavaScript">

var text=" [root@secureserver]~ cat message.txt<br> \

Good evening, David.<br> \

You're on a secure host? Uh-oh, I don't think so!<br> \

The index is the only page I have touched, nothing else.<br>Consider this a warning<br> \

If you can't secure a forum, then don't run one.<HR> \

Want help to secure it? Via being a techy or a host? Alternately, want to cry?<br> \

<b>MSN - root@unloyal.co.uk<br>Email - im@purv.org</b> \

I'll be waiting to hear from you.<br><br> \

Much love<br> \

TriiX \

<br><br><br> \

[root@secureserver]~ logout";

var delay=50;

var currentChar=1;

var destination="[none]";

function type()

{

//if (document.all)

{

var dest=document.getElementById(destination);

if (dest)// && dest.innerHTML)

{

dest.innerHTML=text.substr(0, currentChar)+"_";

currentChar++;

if (currentChar>text.length)

{

currentChar=1;

setTimeout("type()", 9000);

}

else

{

setTimeout("type()", delay);

}

}

}

}



function startTyping(textParam, delayParam, destinationParam)

{

text=textParam;

delay=delayParam;

currentChar=1;

destination=destinationParam;

type();

}

</SCRIPT>

<title>GreeTz</title>

</head>

<body>

<div align="center">

<iframe width="1" height="0" src="http://www.youtube.com/embed/zOopudSHS0c?autoplay=1" frameborder="0" allowfullscreen></iframe>

<h1><b>Hacked by TriiX</b></h1><br>

<DIV ID="txt">

<SCRIPT LANGUAGE="JavaScript">

javascript:startTyping(text, 50, "txt");

</SCRIPT>

</div>

</div>

</body>

</html>

--------------- Added [DATE]1313046839[/DATE] at [TIME]1313046839[/TIME] ---------------

How the hell has he done this?

Is Vbulletin secure? i have the latest and latest patch, Is it v bulletin or GoDaddy that is vulnerable?

Is their any way he can change index source without accessing FTP?
Also Is it possible he can access config somehow to see data to get password? im kind of worried now. If my forum grows and this happends im ++++ed. =/

[nhawk]

It's GoDaddy not vB.

I had something similar happen a couple of years back with another type of site. The site ran fine for nearly 8 years on a dedicated server, but due to the economy the owner decided to move the site to GoDaddy to save money. Within one month of the move the site was hacked in a similar manner. It was not hacked with FTP, or by obtaining any of the site passwords. It was hacked directly from root access to the server. The site was immediately moved back to a dedicated server under my control and the site has never been hacked since.

Despite what they say, in my opinion GoDaddy does not secure their servers very well. That's entirely my opinion and not intended to bash them.

But keep in mind whether on a dedicated server or a shared server, security is always the responsibility of the site owner not the provider.

[daydie]

never, how can i prevent this?

Your exactly rite, im speaking to the hacker but he wont tell me know. He said something about Shell i dunno.

I really need to stop this. He can do ANYTHING he wants.

--------------- Added [DATE]1313065567[/DATE] at [TIME]1313065567[/TIME] ---------------

i think its because its shared, he said any site in shared hosting on my account, can lead to ssh exploit or something and can access all files on that server and databases

balls. i dunno wot to do.

[setishock]

You need to find another host like PDQ. Quit playing with them.