The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

.htaccess/thumbs.db hack

Discussion in 'General Discussion' started by marmi01, Sep 13, 2011.

  1. marmi01

    marmi01 Registered

    Joined:
    Sep 13, 2011
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Hi Everyone,

    I'm in a bind and could use some assistance.

    I have a Zen Cart online store and was hit by some hackbot exploit that modified the .htaccess file and stuck several thumbs.db in my system.

    This caused the online store to 404 error and I eventually fixed it via removing files and editing the .htaccess via FTP.

    All good so far...except it happened again yesterday but this time when FTPing in, all the files looked ok so I thought I'd try via my hosting's cpanel file manager.

    And guess what? I found that the .htaccess there had the malicious php code in and the thumbs.db files were also there. I deleted them and then the shop came up.

    The super strange thing for me was that when I edited the .htaccess within cpanel (only under my /shop directory - all other directories that have .htaccess files such as my blog were ok) and removed the malicious code (just one line and lots of <CR>'s) and then saved it, the .htaccess then went to a 0 byte size and was empty!

    I tried to re-edit it and saved it again but it remained an empty 0 byte file. Very strange! I even deleted it and tried to re-create it and the same thing happened.

    Has anyone come across this before? It's also perplexing that the file structure is different to what I see when I FTP in. I tried to upload a file via FTP but was not able to see it via my browser or even within cpanel's file manager.

    It's as though my FTP is seeing a different/old file structure to what cpanel is showing.

    Could this be due to a hack?

    Tech info:
    Apache version 2.2.20
    MySQL version 5.0.92-50-log
    PHP version 5.2.17
    PHP info Click to View
    Perl version 5.8.8
    Kernel version 2.6.32.46-grsec
    cPanel Version 11.30.1.4

    Any assistance/advice appreciated.

    Mick
     
  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello Mick,

    Please contact your hosting provider about this issue. I would highly suggest not removing the .htaccess file and any contents you find next time to ensure your provider can review what is happening. They should be able to check your domain log files to see how this attacker is getting into the account.

    Thanks!
     
Loading...

Share This Page