htaccess hacked

[SFG-TheOmen]

Hey guys,

In the last week, I've had 4 of my accounts hacked, or blue hosts servers are infected. I can't tell which.

Keep an eye on your htaccess files in the root and public_html folders for editing. 4 separate accounts had issues so far, 12 different websites.

The htaccess file gets redirect code added to the end of the file... Sneaky though, you have to scroll way down and way to the right to see it. This access file allows editing of EVERY PHP file on the server to add some sort of cookie. The hacked PHP files will have a long string of code at the top (way to the right of the <?php code reference) Starts off with "global $sessdt_o"

You can tell a file has been hacked by looking at the date. Mine all started on 11-8-2011.

Simply editing the htaccess file won't work. it will change back almost instantly. There is some rogue code somewhere on the server that we can't see. I had to have BlueHost restore my ENTIRE account from a month ago, including SQL. At first this didn't fix it. Then another ticket asking for server logs and explaining in detail what was going on and miraculously the rewrite went away "by itself". Not sure if the techs found something and deleted it or not. They will not reply to my emails.

I don't believe it was outdated code on my site. 1 of the accounts only had static sites with no PHP just html, and the htaccess was still edited.

So please, update your scripts, look over your files for recent changes, and for our sake... Check your htaccess files for editing.


Two places on-line that had exactly the hack that's going on..

http://stackoverflow.com/questions/8...-php-code-does

http://wpquestions.com/question/show/id/3341


Has anyone here see this before?
Thanks,
Doug

[farcaster]

The hack you are referring to is a well known flaw in the ajax of tinyMCE. I know that Zenphoto went through a series of security updates recently to get rid of the holes on their code. Is had been mentioned elsewhere that the same flaw existed in other CMS's.

This shows the importance of keeping up to date with these packages, and also keeping your own backups on your local computer if needed.

I'm sorry to hear that this happened to you, but the Bluehost servers themselves are secure and not infected. It's scripts. And users computers. And lack of safety standard such as SFTP instead of the insecure FTP.

Here's a thread that we reference to everyone that gets hacked --> http://www.bluehostforum.com/showthr...at-should-I-do

[SFG-TheOmen]

Actually Farcaster, that makes perfect sense. I have tinyMCE and or zenphoto on almost every one of my sites. That would explain the widespread infection. Do you know the name of the code that actually executes on the server to change files?

[ack]

I too have had many sites hacked - some Wordpress some not. At one point the hackers got into my personal computer and I had to wipe it clean. Its clean now and my passwords are now 12+ characters, but things still happen. Its a big learning curve and keeping a local backup is an absolute necessity. I would love to see a step by step checklist to verify optimal security of my sites - if anyone has that... be great

[asaguiar]

I too have had many sites hacked - some Wordpress some not.
At one point the hackers got into my personal computer and I had to wipe it clean. Its clean now and my passwords are now 12+ characters, but things still happen. Its a big learning curve and keeping a local backup is an absolute necessity. I would love to see a step by step checklist to verify optimal security of my sites - if anyone has that... be great

By the time the replied message was posted, wordpress was a target of attacks.

Attacks to .htaccess files have been reported here and they can easily be avoided by using apache directives themselves. The .htaccess engine is extremely powerful and should be well known and intensively used by sysadmins. The "trick" below was retrieved from a internet page many years ago.

<Files .htaccess>
order allow,deny
deny from all
</Files>

Except for some apache flaw, nobody will hack this .htaccess file!

One I developed to avoid attacks to an old and already fixed phpbb vulnerability:

######
# Below, remember to have only one RewriteRule commented out
######
RewriteCond %{QUERY_STRING} phpbb_root_path=http(.*) [NC]
## the first rule points the attacker to the home page
#RewriteRule .* http://%{HTTP_HOST}/ [R=301,L]
## the second, to the forbidden message page
RewriteRule .* - [F,NS,L]

The above RewriteCond can be added to the useful list below, provided along with a default Drupal setup with Cpanel.

# Block out any script trying to base64_encode data within the URL.
RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR]
# Block out any script that includes a <script> tag in URL.
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL.
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL.
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Return 403 Forbidden header and show the content of the root homepage
RewriteRule .* index.php [F]

Although phpbb has been fixed, such attacks are still common and we never know when a new vulnerability will be uncovered first by the "bad guys". So, I never remove defenses even after the fixes.

One should always remember: hacking people know php and sql better than their mother language, they talk and dream sql.

Best wishes.

Alexandre

[SFG-TheOmen]

After keeping EVERYTHING up to date, the entire account got hacked AGAIN today. WTF is going on with BlueHost security?? And don't blame it on outdated software or what have you. I totally got rid of the suspect code, and keep everything up to date.

Now I get to fix 12 more sites.