Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2015-04-30 02:06:52

detail
Member
From: geez, I seem to be in NZ
Registered: 2010-07-13
Posts: 177
Website

htaccess attack

I’ve discovered a few hours ago that anything other than the homepage of my websites had disappeared and were replaced with this message.

Not Found

The requested URL /huts was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Apache Server at www.tramping.net.nz Port 80 

When I had a look at my htaccess file I found it had been replaced with this, I certainly haven’t touched this.

RewriteEngine On

RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^([^/]*)/$ demarcate-densities.php?$1 [L]

I replaced that with the proper htaccess file and now all websites are working perfectly once again.

What is happening here and how can I stop it happening again?

Offline

#2 2015-04-30 05:01:02

gomedia
Plugin Author
Registered: 2008-06-01
Posts: 1,373

Re: htaccess attack

To start with, you should change your FTP password – in case that is how they got in. Your hosting provider might be able to shed some light on what happened (if they look in their logs).

Offline

#3 2015-04-30 09:28:27

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,260
GitHub

Re: htaccess attack

There are upwards of 1200 other sites on your shared server – it’s likely something among them was compromised or your login details were compromised. Recommend contacting the host to see who else (if anyone) is reporting a breach.

+1 for what gomedia says – change your password. Check your FTP logs, if you can do such a thing.

Offline

#4 2015-04-30 09:29:30

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,260
GitHub

Re: htaccess attack

PS: does that demarcate-densities.php file exist in the root of your server? It looks like a dictionary-generated filename.

Last edited by gaekwad (2015-04-30 09:29:58)

Offline

#5 2015-04-30 10:38:48

detail
Member
From: geez, I seem to be in NZ
Registered: 2010-07-13
Posts: 177
Website

Re: htaccess attack

gaekwad wrote #290301:

PS: does that demarcate-densities.php file exist in the root of your server? It looks like a dictionary-generated filename.

Yeah, thanks for pointing that out.

Should get rid of it?

Offline

#6 2015-04-30 10:42:12

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,260
GitHub

Re: htaccess attack

Two schools of thought here: if you want to know what it does, take a copy and examine it (safely) offline. You may find some background info by searching for the text strings in a search engine. If you just want to get your site back to full operation, delete it – it’s nothing to do with Textpattern. I suspect your hosting company will just want to resume normal service and not actively investigate the breach.

Offline

#7 2015-04-30 10:46:22

detail
Member
From: geez, I seem to be in NZ
Registered: 2010-07-13
Posts: 177
Website

Re: htaccess attack

gaekwad wrote #290305:

If you just want to get your site back to full operation, delete it – it’s nothing to do with Textpattern.

I’ll have a look but it does seem to be minified.

Thanks for that advice. It’s taken 5 years on that server for someone to crack it.

Offline

#8 2015-04-30 11:01:57

detail
Member
From: geez, I seem to be in NZ
Registered: 2010-07-13
Posts: 177
Website

Re: htaccess attack

I’ve just been looking at other stray code.

There’s a file that’s called

ghmftsng.php

which is just a whole heap of mumbo jumbo like:

$incontrollable= 'c';$crossers = 'V';
$dull = 'U:duaHnp)'; $biennial = 'e';

and also something called

googlede437 a8d2bdea8d3.html

which I don’t really want to look at.

I guess these should go as well.

Offline

#9 2015-04-30 11:46:46

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,260
GitHub

Re: htaccess attack

Rebuild from a clean Textpattern instance, if that’s viable. Off the top of my head:

  • backup your database
  • audit and backup your images and files directories
  • snag your textpattern/config.php for your database details
  • backup any external (non-Textpattern) stuff you’re using, like stylesheets etc
  • nuke the files on your site
  • reinstall Textpattern, changing your login password in the process
  • import your old database
  • upload files and images

Last edited by gaekwad (2015-04-30 12:16:41)

Offline

#10 2015-04-30 11:52:18

jakob
Admin
From: Germany
Registered: 2005-01-20
Posts: 4,726
Website

Re: htaccess attack

detail wrote #290307:

and also something called

googlede437a8d2bdea8d3.html...

This could be a google webmaster site verification file. They often look something like that. If you open it in a normal code editor, you’ll see google-site-verification: googlede437a8d2bdea8d3.html or something along those lines.

You can use unminify to unminify the other code.


TXP Builders – finely-crafted code, design and txp

Offline

Board footer

Powered by FluxBB