My site was hacked, htaccess file compromised, what should it look like?

security apache .htaccess

13,444

Solution 1

(As per @YGomez's comment: first and foremost, you need to close the vulnerability which allowed the creation of that .htaccess file, else the malware will come back almost instantly; I probably should have mentioned that explicitly)

The first part will redirect all visitors coming in from yahoo and google to 87.248.180.89

The second part ("allow, deny") will deny access to your site for everybody.

I suggest to simply delete the .htaccess and be done with it - if you use a .htaccess file, you would know what goes in there, else you don't need it.

Solution 2

If you're running a static site its highly likely you don't need anything in your .htaccess. You should then workout how your site actually got hacked...as if you haven't resolved that it's just going to happen again.

Solution 3

Your real concern should be how it happened in the first place. Defacers and such often go back and will try the same thing again on a previously cracked site, since many times the vulnerability isn't fixed.

Solution 4

The htaccess file is incidental. You have been hacked by one of the Russian malware gangs. If you don't close the hole that allowed the hack to happen, you will just get hacked again.

It is entirely possible that the server itself is compromised and there is more stuff on it you don't know about, such as trojan software that might not only deface your sites, but also launch attacks on others, send spam, and so on. Assuming appropriate permissions on the directory containing the htaccess file, it should not have been possible to write a file there even if you have an insecure web application on there. Certainly if you are only dealing with static files the only way such a file could have got there is by your uploading account, or the server itself being compromised.

If it's your server, as I'm guessing from the fact it responds to a direct query by IP address, you need to flatten it and reinstall from up-to-date software, use new passwords, and check your own client machines you're uploading from for infections.

View more solutions

13,444

Author by

Jesse

Updated on June 05, 2022

Comments

Jesse almost 2 years

A website I maintain pro-bono was hacked, dishing out 302s to gaming sites, etc. www.rebekahshouse.org. After much searching through my hosting company's control panel, I found the culprit in the htaccess file. It looked something like this:
RewriteEngine on RewriteCond %{HTTP_REFERER} .oogle.com [NC,OR] RewriteCond %{HTTP_REFERER} .ahoo.com [NC,OR] RewriteRule .*hxxp://87.248.180.89/topic.html?s=s- [C,L]

(I think that was C, L; I overwrote it and tried to recreate it above, might've missed a piece here and there)

Anyway, I overwrote it with this:

order allow,deny deny from all

Is this going to anything for me? What SHOULD I have in my .htaccess file? This is purely a static html site.

Thanks!