Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
The ha.ckers.org and sla.ckers.org web application security lab house rules and a place for you to introduce yourself if you like. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
htaccess replaced by malicious script
Posted by: horwath12
Date: January 04, 2012 10:47AM

Hello everyone, I'm having a problem with my server (Hostmonster) somehow it's been compromised and a malicious script is replacing my .htaccess. The replaced .htaccess contains redirects to other sites like answerfloat.ru which I'm sure contain viruses and trojans or whatever else (sorry I'm not to familiar with IT lingo). We contain the attack by using CronJobs that rewrite the htaccess to the original file, this works ok so far but I don't want it to be a permanent solution. My new problem here is that somehow the "malicious script" is now generating .php files with new redirection scripts. Any ideas to permanently solve this issue will be so much appreciated.

Thanks for the help.

Options: ReplyQuote
Re: htaccess replaced by malicious script
Posted by: id
Date: January 04, 2012 06:24PM

move to a real hosting solution...why the hell would you continue to operate on a compromised host?

-id

Options: ReplyQuote
Re: htaccess replaced by malicious script
Posted by: Nerdwood
Date: January 05, 2012 01:17AM

Hi

Unless there's something in your website that's allowing users to write to the .htaccess files, it seems like just changing your passwords would probably do the trick!

Just change passwords for things like:

- Control panel
- FTP
- SSH
- Any other kinds of access you might have

Nerdwood

Options: ReplyQuote
Re: htaccess replaced by malicious script
Date: February 15, 2012 03:31PM

I would suggest an ip/isp log.
Also Go on the offensive and throw some malicious shit of your own on your own website. Not for your users but specifically targeting the compromised path to your .htaccess files. Then get your buddies together and attack.
Or just iplocate them and call there isp, with logged proof of there actions and, you've got yourself the permanent solution your looking for, but there probably routing there attack through 20 different pc's all over the world so make sure you get them to download something, so you can actually trace it, or perhaps embed your .htaccess files because there obviously getting to those, not sure if you could get away with a renaming action file but its worth a shot.
By just changing your passwords, or hosts, your not doing anything, chances are there not taking the password route. Your probably being attacked by an advertising company with 20 different hackers at there disposal, they may be using a cracker program but they are not crackers(crackers are those that guess at passwords, where-as Hackers find vulnerabilities and exploit them through various methods), and I can tell you that for sure due to the sophisticated methods there using.
If you attack they will just disappear, because there trying to make money, and if your slowing that process down, then there not making as much, so there is no point in a counter-attack from where the stand, because it would just not make financial sense.

If you want some help, I could use the practice.

Options: ReplyQuote


Sorry, only registered users may post in this forum.