Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
htaccess attack
I’ve discovered a few hours ago that anything other than the homepage of my websites had disappeared and were replaced with this message.
Not Found
The requested URL /huts was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache Server at www.tramping.net.nz Port 80
When I had a look at my htaccess file I found it had been replaced with this, I certainly haven’t touched this.
RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^([^/]*)/$ demarcate-densities.php?$1 [L]
I replaced that with the proper htaccess file and now all websites are working perfectly once again.
What is happening here and how can I stop it happening again?
Offline
#2 2015-04-30 05:01:02
- gomedia
- Plugin Author
- Registered: 2008-06-01
- Posts: 1,373
Re: htaccess attack
To start with, you should change your FTP password – in case that is how they got in. Your hosting provider might be able to shed some light on what happened (if they look in their logs).
Offline
Re: htaccess attack
There are upwards of 1200 other sites on your shared server – it’s likely something among them was compromised or your login details were compromised. Recommend contacting the host to see who else (if anyone) is reporting a breach.
+1 for what gomedia says – change your password. Check your FTP logs, if you can do such a thing.
Offline
Re: htaccess attack
PS: does that demarcate-densities.php
file exist in the root of your server? It looks like a dictionary-generated filename.
Last edited by gaekwad (2015-04-30 09:29:58)
Offline
Re: htaccess attack
gaekwad wrote #290301:
PS: does that
demarcate-densities.php
file exist in the root of your server? It looks like a dictionary-generated filename.
Yeah, thanks for pointing that out.
Should get rid of it?
Offline
Re: htaccess attack
Two schools of thought here: if you want to know what it does, take a copy and examine it (safely) offline. You may find some background info by searching for the text strings in a search engine. If you just want to get your site back to full operation, delete it – it’s nothing to do with Textpattern. I suspect your hosting company will just want to resume normal service and not actively investigate the breach.
Offline
Re: htaccess attack
gaekwad wrote #290305:
If you just want to get your site back to full operation, delete it – it’s nothing to do with Textpattern.
I’ll have a look but it does seem to be minified.
Thanks for that advice. It’s taken 5 years on that server for someone to crack it.
Offline
Re: htaccess attack
I’ve just been looking at other stray code.
There’s a file that’s called
ghmftsng.php
which is just a whole heap of mumbo jumbo like:
$incontrollable= 'c';$crossers = 'V';
$dull = 'U:duaHnp)'; $biennial = 'e';
and also something called
googlede437 a8d2bdea8d3.html
which I don’t really want to look at.
I guess these should go as well.
Offline
Re: htaccess attack
Rebuild from a clean Textpattern instance, if that’s viable. Off the top of my head:
- backup your database
- audit and backup your
images
andfiles
directories - snag your
textpattern/config.php
for your database details - backup any external (non-Textpattern) stuff you’re using, like stylesheets etc
- nuke the files on your site
- reinstall Textpattern, changing your login password in the process
- import your old database
- upload files and images
Last edited by gaekwad (2015-04-30 12:16:41)
Offline
Re: htaccess attack
detail wrote #290307:
and also something called
googlede437a8d2bdea8d3.html...
This could be a google webmaster site verification file. They often look something like that. If you open it in a normal code editor, you’ll see google-site-verification: googlede437a8d2bdea8d3.html
or something along those lines.
You can use unminify to unminify the other code.
TXP Builders – finely-crafted code, design and txp
Offline
Pages: 1