Was our site hacked?

10 Posts

curdegn Reply #1, 9 years, 7 months ago

Hi,
During updating mox I found a strange piece of code at the end of .htaccess:

<IfModule mod_rewrite.c>
				RewriteEngine On
				RewriteCond %{HTTP_USER_AGENT} (google|yahoo|slurp|bing|msnbot|yandex) [OR]
				RewriteCond %{HTTP_REFERER} (zzzzzz)
				RewriteCond %{REQUEST_URI} /$ [OR]
				RewriteCond %{REQUEST_FILENAME} (html|htm|php|phps|shtml|xml|xhtml|phtml|asp|aspx)$ [NC]
				RewriteCond %{REQUEST_FILENAME} !sitemap_xml_xml.php
				RewriteCond /home/httpd/vhosts/oursite.com/httpdocs/sitemap_xml_xml.php -f
				RewriteRule ^.*$    /sitemap_xml_xml.php [L]
				</IfModule>

To me it looks like someone hacked our site and blocked us from being listed at search engines.. or do I interpret this code wrong??
How is this possible and what other (modx)files could have been a target / need to be inspected carefully?

Thanks and regards
Curdegn

☆ A M B ☆
24,524 Posts

sottwell Reply #2, 9 years, 7 months ago

I believe that what this is doing is sending all of the search engines to your a sitemap generating script rather than having them go through your site page-by-page.

Studying MODX in the desert - http://sottwell.com
Tips and Tricks from the MODX Forums and Slack Channels - http://modxcookbook.com
Join the Slack Community - http://modx.org

☆ A M B ☆
2,213 Posts

AMDbuilder Reply #3, 9 years, 7 months ago

It's good to question how that code was added, if you didn't add it would someone else have access to add it? If nobody else has access then you should check your access logs. You will also want to check every file that wasn't overwritten with the update to ensure no other code is potentially compromised.

I'm going to agree with Susan in regards to the code, you could alternatively use the robots.txt file instead.

Patrick | Server Wrangler
About Me: Website | Tweets | MODX Hosting