Jump to content

Hacked htaccess


Recommended Posts

One of my client's hosting account was hacked - I just happened to find a folder called 'mnemonics' full of html files - dozens of them. I contacted the host, who told me to change the password. I did that, but the password in use was the very one they had initially given the client - xHhBqplD9L - (it's been changed since) - now tell me, how is that hackable? plus they'd need to know the username, which is NOT admin, as well.


This morning, i found this in the htaccess file - what did that do?


#User-agent: *
#Disallow: /pics
#Disallow: /includes
#Disallow: /tools
#Allow: /

RewriteEngine on
RewriteRule check_work/$ ./mnemonics/platforms.php?checkwork
RewriteRule mnemonics-(.*)/$ ./mnemonics/platforms.php?$1

Link to comment
Share on other sites

Adding on: The site's hits have increased dramatically to over 1,000 - form over 500 service providers. I'm sure it has to do with the hacking. The site is a local contractor, certainly does not evoke global interest.

Link to comment
Share on other sites

Its extremely difficult to determine how someone got in without access to logs. Due to the hits being doubled, i would guess someone ran a exploit scan script on their domain name and found a security hole in something found. This script would be pre-built to scan a list of domains for certain files with known security holes.


I dont know if this site has anything to do with 'mnemonics'? Does this folder look entirely suspicious or is it supposed to be part of the website? If not, I'd be interested to know whats in this platform.php that was added to the htaccess file.


The disallows and allow in the .htaccess is normal, but again, if that folder isn't supposed to be there the bottom two lines should probably be removed.

Link to comment
Share on other sites

I'm not very good with .htaccess, but I'll try to shed some light.


As far as I know, hashes (#) are comments, so if a line starts with a hash, it's a comment. So first 5 lines are irrelevant.


RewriteEngine On - this is just turning on the mod_rewrite extension of PHP i think ...


The RewriteRule ones are forwarders. So the line that says:

RewriteRule check_work/$ ./mnemonics/platforms.php?checkwork

... will forward visitors going to ANY page under the "check_work" directory, to "./mnemonics/platforms.php?checkwork"


I'm not sure about the second part of RewriteRule is Exactly doing, but it's doing another forwarder.

Link to comment
Share on other sites

What I'm wondering: security hole or not - would it be possible to get to any files on the account WITHOUT the password?

It sounds to me that the server itself got hacked -- not just your hosting account (which would really be the host's responsibility, not yours.) If someone was able to get access to the server itself, that would mean that they wouldn't need usernames or passwords to change things or add/delete files.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...