.htaccess changed by hacker daily
-
-
- Tango7
- Rocketeer
- Posts: 51
- Thanks: 0
-
I have noticed recently that my .htaccess files is being changed every few hours.
a snippet of code is addedd to the top of the .htaccess file and looks like this:
# BEGIN SYSTEM API
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{HTTP_USER_AGENT} !myclearcode$ [NC]
RewriteRule ^reo/(.*s)$ packages/admiin.php?$1 [L]
# END SYSTEM API
What happens is that it adds articles to my site about dating and webcams etc. The articles are not listed in my articles section so they are being added on the fly and I only know they are there if I do a google search for "site:bangkoktouristguide.com"
If I remove the snippet above, then all links to the added articles return a 404 error code.
The packages/admiin.php file is obviously malware as it's full of scrambled code so I've renamed it admiin.php_old for now to see if that resolves the issue but this probably won't stop the .htaccess file from being changed.
What I can't figure out is how to stop this code from being injected every day or every few hours etc
Anyone know about RSFirewall ? Is that any good and worth the money ?
Anyhelp is much appreciated
-
-
-
- David Goode
- Preeminent Rocketeer
- Posts: 17058
- Thanks: 890
- Web Designer and Host
-
Hi there,
Until you cleanse your site of ALL malicious code you will have problems. RS Firewall and Admin Tools are both good products but only if you have a clean site to start with.
Golden Rules are...
- Use a reliable host with up to date software, mod_security, and running maldet scans
- Once a new site is created take a backup.
- Install a security firewall - my preferred option is Admin Tools from Akeeba
- Use a monitoring system such as watchful.li
- Keep everything up to date
Item 4 is good because the better extension developers allow their extensions to be monitored for latest versions and daily scans from watchful.li let you know if any updates are required. It also monitors files for changes and will email you if changes are detected. This usually means if a hacker has gotten in then you can determine date and time and look for file changes around that period. This often helps to identify back doors left in place for reinfection if you delete the core hack.
Hope this helps
Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information
-
-
-
- Barkley
- Hero Rocketeer
- Posts: 253
- Thanks: 0
-
The best thing I have found to use is sucuri.net (To be clear I do not work for them but I do use their product). First of all they will clean your site and then set up a realtime firewall that will protect your site from these types of attacks. Very reasonable price in my opinion especially for the protection and service they provide.
Hope this helps and good luck! - Visit our pet magazine at www.barkleyandpaws.com
-
-
-
- David Goode
- Preeminent Rocketeer
- Posts: 17058
- Thanks: 890
- Web Designer and Host
-
Hello all,
Please be aware that ALL of these security options are only as good as the last known virus string. As something new comes along none of them can guarantee protection.
Sucuri is a good system but it is fallible. I have used it before and it has missed some malicious code purely because it was an infected gif file. Watchful.li have a link to sucuri for malware scans as part of their package.
Hope this helps
Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information
-
-
-
- Empowermom
- Hero Rocketeer
- Posts: 476
- Thanks: 32
-
I've been following this post but have been hesitant to reply because I know just enough about the .htaccess file to be dangerous. I definitely shouldn't comment on coding it without alot of reading and research. This is, by no means, a definitive answer but rather an observation.
Logically speaking, I don't see how any file can rewrite your ".htaccess" file if it has the proper file permissions set so I'd check that first.
One misplaced character or misspelled word in your code can screw up an entire site. The last line of code could be the culprit. It mentions the file "admiin.php" (NOTE: TWO "ii" instead of one)
I'm thinking it should be "admin.php" (and even that raises an alarm for me, not knowing where this code came from). So I'm dying to know if that was misspelled or if it's in the file that way.
If it is literally spelled "admiin.php" you'll need to scan your site files for "admiin.php" as that is where the replacement code is (probably) coming from. IF you find that file, you'll need to find it's origin and any file dependencies listed within it. It could be coming from an extension or module, so you'll need to be diligent.
After the above, I would replace "admiin.php" with "admin.php" and see what happens. This could very well be a case of a misspelled word causing this. Cut off the referenced file (or files) and you should cut off the offender.
Please let me know if that works. It's driving me crazy.
In any case, I'd grab a copy of BOTH Akeeba Admin Tools and Akeeba Backup. Admin Tools even has a feature that sets up the .htaccess file for you and great support there if you need it.
I'll be anxiously awaiting your reply to see if this helped.
-
-
-
- David Goode
- Preeminent Rocketeer
- Posts: 17058
- Thanks: 890
- Web Designer and Host
-
Having disinfected dozens of hacked Joomla sites I can assure you that there are three distinct versions of hack.
- The kiddy script hacker - they run a script and it finds a site it can penetrate and then usually injects malicious code into the top level php pages. Inevitably these are often for the purpose of spamming.
- The intermediate hacker - they often insert phishing pages into your site and leave plenty of back doors. These are usually the ones with mispelled file names, such as admiin, another popular one was licsenses.
- The well versed hacker - they hide their hacks well; leave plenty of ways back in; even plant false login pages to get your passwords. These sites are ones that often have to be recreated with a new Joomla install and then transfer data via cut and paste.
Depending on the server security level the hacker may be able to access other sites on the server and then cause mayhem. If you have been hacked then first task is to change any control panel passwords. Clean up the mess. Change passwords again.
With Admin Tools I always tell people to add a secret word so that any person going to yourdomain.here/administrator will be redirected to the home page. Also tell it to hide the CMS name and version. This slows down the kiddy-scripts.
Most of this is common sense. Unfortunately people only do it AFTER they have been hacked.
Hope this helps
Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information
-
-
-
- Tango7
- Rocketeer
- Posts: 51
- Thanks: 0
-
The admiin.php file shouldn't be there at all from what I can understand. It's in a folder called PAckages which contains a bunch of Gantry.zip files.
If I rename that file, it just gets replaced with a new version every day...it's a bit like "Groundhog Day"....
So, to re-iterate, the .htaccess file has a snippet of code as so:
# BEGIN SYSTEM API
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{HTTP_USER_AGENT} !myclearcode$ [NC]
RewriteRule ^reo/(.*)$ images/banners/admiin.php?$1 [L]
# END SYSTEM API
Now, if you see my first post, you'll see that the last line actually read:
RewriteRule ^reo/(.*s)$ packages/admiin.php?$1 [L]
If you look above, this has now changed to:
RewriteRule ^reo/(.*)$ images/banners/admiin.php?$1 [L]
So it is now throwing the same bad file into a different location than the first time.
I'm not totally sure, but I think I might have been able to stop it by adding # to the beginning of the last two lines, but not totally sure. I say this because I monitor my site daily and the .htaccess hasn't changed since I made the change.
-
-
-
- David Goode
- Preeminent Rocketeer
- Posts: 17058
- Thanks: 890
- Web Designer and Host
-
Hi there,
The standard htaccess from Joomla 3.X contains this portion of code for redirects...
## Begin - Joomla! core SEF Section. # RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] # # If the requested path and file is not /index.php and the request # has not already been internally rewritten to the index.php script RewriteCond %{REQUEST_URI} !^/index\.php # and the requested path and file doesn't directly match a physical file RewriteCond %{REQUEST_FILENAME} !-f # and the requested path and file doesn't directly match a physical folder RewriteCond %{REQUEST_FILENAME} !-d # internally rewrite the request to the index.php script RewriteRule .* index.php [L] # ## End - Joomla! core SEF Section.
Try changing the code by deleting the last 2 lines on your htaccess and then change the file permission to 000 and see if the site still works. If the file gets changed after that then the hackers have access to the control panel and that would mean a password change and further monitoring.
Hope this helps
Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information
-
-
-
- Empowermom
- Hero Rocketeer
- Posts: 476
- Thanks: 32
-
Okay, let's do a "drill down" on this as it can be coming from several places. It's also possible it's not malicious but was coded improperly by an extension provider. Stranger things have happened.
Frankly, at this point, it's more important to track WHAT happened and HOW to fix it rather than fixating on what you "should have" done and how it can be avoided in the future. Consider this a valuable opportunity to learn and we'll get you fixed up. THEN you can properly arm yourself to keep it from happening again.
Things we need to know to help you:
- Which version of PHP are you using? It could make a difference in troubleshooting.
Which database engine are you using? (mysql, mysqli, other)
Are you working online or offline?
Which version of Joomla? Is it current?
What version of Gantry? Is it current?
How many users on your site?
Do you have more than one SuperAdmin?
What 3rd party components/extensions are installed on your site? (any one or more of them can be causing this)
Are they ALL current?
What are the specific file permission settings on your .htaccess file?
Who is your hosting with? Have you discussed this with them? - Do you have more than one Joomla site on your server?
If so, do you share a common php.ini file? (Your host will know this if you don't. Either way, review the settings.)
If not, have you reviewed the latest Joomla recommendations for php settings? - Highly recommended reading though difficult (for me) to decipher:
https://httpd.apache.org/docs/current/rewrite/intro.html
Here's a quick cheat sheet to help but it doesn't cover the last line: https://www.addedbytes.com/download/?file=regular-expressions-cheat-sheet-v2/png
Other considerations:
Now you need to know the ground rules on .htaccess and the PHP rewrite switches:
I am currently trying to determine WHAT the code doing. I'm good to the last line and then can't find a specific reference (YET!). I am limited because I can't see your file structure so I won't ask any more questions until I can find you some answers, albeit they won't be "official" given my limited knowledge.
If we can determine WHAT the code is doing, you can track where it came from and all file dependencies.
I am doing that very thing this morning because now it's bugging me as well! I guess it proves it doesn't take much to entertain a developer over coffee on Saturday morning. I'm hooked! LOL! -
-
-
- Tango7
- Rocketeer
- Posts: 51
- Thanks: 0
-
Made me laugh...you're like me. If it bugs me, I have to find the answer.
What it is doing is creating articles within the site that have URLs pointing to other URLs and it's all about dating..web cams...and the usual smut.
Here's an example URL:
bangkoktouristguide.com/reo/m8nn-orange-dating
The /reo/m8nn-orange-dating is the added bit.
If you go to Google and type in site:bangkokshoppingguide.com you'll see examples and hopefully none will work but it's messing with my SEO ....
I took a look at my .htaccess file just now and even though the last two lines of the snippet mentioned in an earlier post had # at the beginning, it still made the links to the false articles work (it's doesn't at the time of writing because I've edited the .htaccess file ...AGAIN !)
The .htacces was pointing to the images/banners/admiin.php file but that did not exist and yet the spam URL still appeared.
To answer some of the questions earlier:
Joomla up to date
Modules up to date
Single SuperUser
Single user..no other users
Just changed permissions on .htaccess to 444 whereas it was on 644. 000 stopped site from working
Reseller hosting with Host Gator
Other sites not hacked although I had issues with a couple
Common issue with the site that all had issues is a module called pwebcontact which is a pop out contact form. Joomla extension reviews give it 100% and no complaints but it's the only thing that makes me think.."maybe".
-
Time to create page: 0.059 seconds