My site is currently down due to a .htaccess hack that occurred yesterday. The site displays a Internal Sever error 500. I though it was a problem with my host server, turns out my .htaccess file was accessed yesterday afternoon according to timestamp. No one had access so according to some reading on the web it could be due to a bot or virus.
Me and my tech friend who helped me with the site are working on the fix. I didn't know about this type of hack, seems like it's been happening lately.
Do any of you guys have any knowledge about this and how it is done, and tips to prevent it.
My site is back up, we just reloaded the backup .htaccess file. From what I read online it has happened to a lot of WP blogs and now a S9y so be careful out there.
If you know the timestamp, when it happend, than you could check the logs of your webserver. If there is nothing unusual, than maybe your pc got infected and changed it without your knowladge.
Could be one of those trojans that hijacked your FTP account and use it to upload malicious code.
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Arghh I've been hit again, this is after my password was changed. Have a hacker friend looking at my setup. Any advice for more security would be helpful
Which password did you change? All the FTP credentials AND all the s9y admin account passwords?
Check your webspace for any scripts you did not upload there, and most importantly, do a full antivirus scan on all PCs that have FTP access to your site. Most probably a keylogger/virus is active on your client (not the server).
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
I changed all my passwords after the 1st attempt and had no PC's or users hooked up for FTP access but me. I hadn't changed or uploaded anything to the server in months. After reading more about it on the Apache forums I found a post that makes sense of the attack and how to prevent it. It worked for the people that were experiencing it. there problems were exactly like mine and they had changed their passwords and removed different codes, deleted things but it still came back.
Basically it is a an "injection hack" exploiting PHP global variables and inserting the URL of the code they run remotely into the URL that gives control of the program on your server.
This is the fix they suggested and we have implemented it. They have attacked 2 days in a row so I will see if they can break through today.
-------------------------------------------------------------------------------
In your php.ini file (if you don't have this make a plain text file called this) insert the code:
allow_url_fopen = Off
This prevents people from passing remote URLs through your site.
I also decided to go ahead and add the following settings to php.ini to prevent the hackers from getting any additional information:
allow_url_fopen = Off
register_globals = Off
display_errors = Off
expose_php = Off
log_errors = On
Also make sure that you add this to your .htaccess file so people can't see your php.ini settings:
<Files php.ini>
order allow,deny
deny from all
</Files>
Also make sure to remove the code that is inserted into all of your .css and .js files on the server! In addition there should be a few .php files that the hackers probably put on your server as well which will allow them to regain entry into your site if you don't remove them. Just look at your access logs for any POST commands and see where the files are located. So #1 make sure to create a php.ini file with the settings above and #2 clean up all your files and remove any malicious code from your .js and .css files as well as any additional .php files that shouldn't be there. That's it! Problem solved. So far no hacking for over a week since I did this.
That would only apply if you run PHP code that is vulnerable to PHP code injection. The current s9y stable release 1.4.1 has no such holes (at least no known ones), so the chance that it's s9y code is pretty low.
You could check your apache's accessLogfiles and look up the time where your .htaccess file was modified to see which HTTP requests had been made at that time. Also check your other PHP applications on the same server.
Also, the server could globally be compromised, you might want to ask your hoster if other customers experience your issues currently.
HTH,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
I will check out you suggestions Gavin, thanks. My tech support friend implemented some fixes and extra security on our php files and such.
We were up about 6 hours and then brought down by a different hack. The homepage loads up, but now the actual links to the article don't work and get a 404 error. So this is different it seems, they can't takeover the homepage but now taking down the links. This also makes me think it's a deliberate attack to keep my site down.
We were working late last night, waiting for my friend to get up and take a look at this.
Links producing 404 errors might be due to mod_rewrite getting disabled through .htaccess, because s9y relies on it to use "Pretty URLs", when you enabled that.
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Been up for 2 full days since we implemented the fixes we found online. I do have questions about another issue regards to spammer IP's from China coming in on url links that lead to our .css serendipity file or plugins. Example http://websitename.com/.css_serendipty. Don't know how that's possible or how to stop it. The IP's have been flagged by several sites as a malicious spam bot or content scavenger.
I would like to talk about this with garvin in PM when you're available.
We can discuss this here openly, this is best so that others can give feedback too. I don't really understand with those links that you mean. Can you give a real example?
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
I was just nervous about putting this out on the net since I wasn't sure if this could be used to gain access and exploit to my site someway. Don't understand how these urls were found and why a spam bot is coming in on these links then the homepage all in the same timestamp
We have been up since my last post, since we were continuously being hacked 3 days in a row . Here are these links that known spambots from China are coming in on.
