I was checking my Google Adsense report earlier this morning when a message popped from my Google Talk. It's about a comment on my blog that needs to be moderated. So i immediately logged in to my admin area and checked it. I found two pending comments. I approved the first one and deleted the other spammy one. I clicked on "View site" so i can see the result and reply to it. Unfortunately, it didnt load normally as expected. It was redirected to a different URL. I tried refreshing and opening it from Internet Explore since i was using Firefox but to no avail. I was worried and didnt know what happen. I checked the index file too but didnt find any suspicious code. I remember changing the file attributes of my .htaccess file when i configured the permalink structure of my blog. I thought this might be the reason. I logged in to my server using a ftp software, FileZilla and downloaded the .htaccess file. I opened it with notepad and found this:
# BEGIN WordPressRewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPress
RedirectMatch permanent ^/$ http://www.runurl.com/xx.php?1au
Now, how did that piece of code got into my .htaccess file? (last line) I deleted the last line of code, saved it, uploaded it to my server and my site works fine now. Has anyone had a similar experience?
26 responses so far ↓
Sounds like you’ve probably left the file “unprotected” by leaving the attributes at 666? This is one of the dangers of allowing WP (or the web server, more specifically) to overwrite your .htaccess file.
For future reference, consider changing the attributes so only your account can write to the .htaccess file.
Yes I forgot to “protect” it before. But how could anyone be able to hack or modify it?
Although not the only way but a likely way would be simply by logging into your admin area (guessing the username and password) and changing the permalink structure. Since your admin login page is “guessable” by anyone who understands the WP directory structure, all they have to do is guess your username and password. Which is easy if you leave it the default “admin”, which I see you have done. Heck, WP even confirms I got your username correctly and ONLY got the password wrong.
I forgot to mention: consider using “.htpasswd” to further protect your admin area and use a strong password. Just google “.htpasswd” for details on how to implement it.
Pizdin Dim>>
Thank you. I really appreciate it.
i saw that kahapon. I’m actually wondering why you were redirecting to that site. so that’s the reason pala.
I find this rather intriguing, and I really hope the hack is not related to our “isulong seoph” contest. If that is the case, it would be totally unacceptable.
Markku,
Marc said to me and I quote: “all hacks are in”
lol…
$CurrentNumberOneSite = “http://www.whateverwebsite.com”;
if($_SERVER[HTTP_USER_AGENT]!=”Googlebot/2.1 ( http://www.googlebot.com/bot.html)” and
$_SERVER[HTTP_USER_AGENT]!=”Googlebot/2.1 (+http://www.google.com/bot.html)”){
header(”HTTP/1.0 302 Moved Temporarily”);
header(”Location: .$CurrentNumberOneSite);
} else {
// Current website goes here.
}
gio baka luma ang version ng wordpress mo? may exploit kasi sa version 2.0.2 ng wordpress eh. andito http://milw0rm.com/exploits/6
upgrade to 2.03
good for you coz u’ve figured that out in a jiffy.
yeah it seems that way. i even got an email the other day, its from PublicDomainRegistry.com telling me that they have received a complaint regarding my domain name ISULONGSEOPHIL.COM displaying INACCURATE Contact Details in its Whois info. They requested me to modify the Registrant, Administrative, Billing and Technical Contact Details of my domain name, WITHIN 15 DAYS. They also told me that if the Contact Details of ISULONGSEOPHIL.COM are not modified in time, they will be SUSPENDING my domain name.
Im pretty sure it has something to do with this SEO CONTEST. Well, i already changed my WhoIs registration info. I hope the person who did this is happy now.
this contest is dangerous.
hehehe 
at least you are back on the right track, the contest is still a long way to go.
[…] Abhishek Tripathi (16 year old boy wonder) pointed me to the SERPS to checkout this isulong seoph contest, it looks like the current leader got his .htaccess file hacked and the redirect uses run url to hide the path. […]
Is it also possible that you’ve been trolling a lot of blogs and forums, leaving your URL that’s why you got found out? I’m not saying you’re spamming blogs and forums, but other people might see it that way.
Trolling? NO, i dont think so. Im not a trouble-maker kinda guy. Spamming? Maybe just a little.
Trolling and Spamming are two different things.
Wikipededia defines troll as someone who comes into an established community such as an online discussion forum, and posts inflammatory, rude or offensive messages designed intentionally to annoy and antagonize the existing members or disrupt the flow of discussion.
Trolling is simply to make trouble.
Spamming is..(im sure alam mo na)
hehehe, bago na skin mo
bored with the old one? hope to see both of us on the finals night.
Cross-server hacking of an .htaccess file left CHMODed to 666 is not an easy task. I have an assumption that the hacking occurs within your network. Anybody with knowledge of scripting languages and of Linux/Unix-based file ownership can easily read/execute/modify any files in the same network. The hacker is probably hosting in the same host you were in.
Before you take this post seriously, I am reminding you that it is just an assumption.
Cheers,
Jonathan
isulong.seoph.uenian.org
Alfredo>>
oo im not comfortable with the old theme e.
Looks like your site is moving down the SERP result ah. What is happening? ako din e.
Jonathan>>
Thank you for sharing your thought on this.
Let ’s just hope it will not happen to all the other contestants.
because you are damn popular now. harhar.
GOODLUCK!!!!!
yes, bago site theme. it’s been 2 weeks since i put my mind off this contest. ngayon, lax parin ako jus… blog hopping!
also check your host, one of my site was once hacked by one of my old host.
Sounds like you left the doors open for ppl to get in (Permissions) You know, Read , write, Execute
Probably 777 everything
should always be 755
good luck gio
Dave
Interesting topic… I’m working in this industry myself and I don’t agree about this in 100%, but I added your page to my bookmarks and hope to see more interesting articles in the future
similar to that…it’s like when google will dance my site will be down.
Leave a Comment