My sites .htaccess file was hacked, how?

[garvinhicking]

Hi!

What do you mean with "are coming in on"? In which regard do these URLs matter?

Regards,
Garvin

[justgetthere]

meaning these are the links the spam IP are visiting the site with.

[garvinhicking]

Hi!

Hm, okay, but such a URL alone would not trigger any hack - it might be simple the IPs of persons that dump spam comments on your blog entries?

Regards,
Garvin

[Brendon K]

Hi, I realize I'm bumping a very old topic, but I thought I'd post back somewhere to say that my s9y blog somehow managed to get hacked. I've had way too many hits in my log to be able to verify where the initial hack vector came from (russia, vietnam, poland, czech, etc...) though all seem to be taking advantage of it.

Although it seems to be a similar hack to the XSS hack of the comments.php issue with v0.7 Beta 3 (was getting tons of trackback spam until I manually disabled it), it's much more thorough as there was file access on the server with modified templates, the admin interface was modified, and folders had modified CHMOD settings.

I will take partial blame as I did leave one of my template directories with a 775 chmod which might have assisted in the attack vector.

Unfortunately there's little way for me to find the hole itself, and can only hope that they did not insert some sort of code in the SQL to prevent an upgrade of clearing the entire hack itself from the system. This post is little more than just a user wanting to make aware of a very slim possibility of a known hack for an older version of the blog system. As is always recommended, staying up-to-date is always the best solution, along with common server security.

[garvinhicking]

Hi!

Which s9y version were you running? Some previous version did contain some holes.

Also, there are many trojans around that sniff your FTP logins and then deploy malicious code on your sites, circumventing application access and relying simply on FTP.

Regards,
Garvin

[Brendon K]

The last time I upgraded it was version 1.4 (not 1.4.1 or later). I've temporarily run a complete reinstall using the same database (so, fresh file install, database upgrade) to the latest version. Now I'm just dealing with comment spam (which is thankfully being caught by the Akismet plugin) and no more trackback attacks. Whatever seems to have been taken advantage of looks like it has now been closed, but I'll be keeping an eye on it for some time to come.

Although I typically use SFTP, I had recently been using standard FTP due to an application incompatibility with the server. This may have been the issue, but no other sites on the same account had any issue, or were showing any massive HTTP traffic from the logs. I will be sure to change the password and switch to SFTP regardless. Thank you for the reminder.