.htaccess file hacked, how to prevent this in future?
Solution 1
If they logged in over FTP, then your user account password is compromised and they're just FTPing up the modified file. Audit everywhere that's using your account password for password-collecting malware, then change the password to something secure. Also consider using a passwordless method of authentication (such as SSH public keys), but if your development machine is chock full of malware, it can just steal the key instead.
Solution 2
As already mentioned the chances are that your FTP details have been compromised (normally from an infected Windows desktop PC somewhere I've found).
I've tested this in the past by purposely logging in with the wrong password from a suspected PC, only to see someone else try and login with the same wrong password 15 minutes later from a foreign IP address. Obviously the infected PC was sniffing the password and transmitting it back to the mother ship.
The most pratical thing to do is restrict where people can login to FTP from on your firewall. Password complexity or encryption will probably do you no good in this case, as the password is being stolen at source, and not being guessed or intercepted down the line.
In iptables something like this would work:
iptables -I INPUT -p tcp --dport 21 -s ! X.X.X.X -j DROP
(where X.X.X.X is the IP of your office/home where you connect from).
Related videos on Youtube
Arpit Tambi
Updated on September 18, 2022Comments
-
Arpit Tambi over 1 year
The hacker added a code in .htaccess file to redirect all search engine traffic to a malware website. I am now investigating this incident and trying to find out security loop holes. My situation is almost similar to this person's - .htaccess being hacked repeatedly
Here's a sample of intrustion attempt from FTP logs -
Aug 6 02:43:31 sg2nlftpg002 [30887]: ([email protected]) [INFO] FTPUSER is now logged in Aug 6 09:43:33 sg2nlftpg002 [30887]: ([email protected]) [NOTICE] /home/content/81/7838581/html//.htaccess downloaded (846 bytes, 106.37KB/sec) Aug 6 09:43:35 sg2nlftpg002 [30887]: ([email protected]) [NOTICE] /home/content/81/7838581/html//.htaccess uploaded (1435 bytes, 3.32KB/sec) Aug 6 09:43:35 sg2nlftpg002 [30887]: ([email protected]) [INFO] Logout.
This is significantly different from my regular login attemps -
Aug 7 10:57:53 sg2nlftpg002 [11713]: session opened for local user FTPUSER from [my.ip.address] Aug 7 10:58:28 sg2nlftpg002 [11713]: [FTPUSER] close "/home/content/81/7838581/html/.htaccess" bytes read 1435 written 0 Aug 7 11:14:29 sg2nlftpg002 [11713]: [FTPUSER] close "/home/content/81/7838581/html/.htaccess" bytes read 0 written 846 Aug 7 11:14:55 sg2nlftpg002 [11713]: [FTPUSER] close "/home/content/81/7838581/html/.htaccess" bytes read 846 written 0 Aug 7 12:08:03 sg2nlftpg002 [11713]: session closed for local user FTPUSER from [my.ip.address]
I have gone through HTTP traffic logs but couldn't find anything suspicious over there.
Other information that might be useful:
- I am on a shared host and the website runs on WordPress, BuddyPress and other popular plugins.
- To my knowledge all software under my control uses latest versions and is updated regularly.
- I use strong passwords and update them regularly. Only access website with SFTP and SSH using PUTTY.
- My local machine is free from viruses.
My question is how to prevent such attacks in future?
UPDATE
- Please see report from Google - http://www.google.com/safebrowsing/diagnostic?site=ask-oracle.com
- Another report related to network I am hosted on - http://www.google.com/safebrowsing/diagnostic?site=AS:26496
-
Admin almost 13 yearsAre you administrating the machine, or just one of the sites? How up to date are the WordPress/etc. installs that you don't control? How "Jailed" are your sites from each other? If someone gained root from another site on the same machine it really doesn't matter how up to date your stuff is or how secure (as secure as you could be without being root for the machine.)
-
Admin almost 13 yearsI am on a shared hosting and run one single website on it, all software are up to date. I cannot say much about account isolation but I have updated my question with more information. Do you think that I should ask my host to shift me to another machine?
-
Admin almost 13 yearsNo, your account password got compromised, there's no evidence of a server-wide intrusion.
-
Arpit Tambi almost 13 yearsIf you see the timestamps of intrusion attempt, see the hour and minute values, does it look like a bot? Also these are the only suspicious entries in the FTP logs. I believe my machine is free from malware (as reported by the scanner) and have already changed FTP password. I mostly use SSH to get things done.
-
gravyface almost 13 yearsfirewall tip is good, but he's on shared hosting; don't think he has control over iptables.
-
gravyface almost 13 yearsif you mostly use SSH, why don't you disable/delete the FTP accounts?
-
Arpit Tambi almost 13 yearsThere is only one ftp account which I had to create to setup the hosting through there control panel. There is no way to delete/disable it.
-
Arpit Tambi almost 13 yearsThanks for the tip but it doesn't works. It says iptables: command not found. I am rescanning my local computer for virus using two different scanners, lets see.
-
Arpit Tambi almost 13 yearsI am using FireFTP for firefox. It also has my passwords saved.
-
womble almost 13 yearsWhere did I make any suggestion that a bot was doing the FTP activity? And if there's no way to disable FTP, you need a new control panel -- that's an insanely stupid one you've got there.
-
Icebreaker over 10 yearsStill, these are stopgap measures. The fact that your .htaccess file was edited without authorization is just a symptom of the hack. Who knows what other damage they have done to your server?
-
Falcon Momot over 10 yearsTo be pedantic, anyone with root access can change the attributes back, as well.