• Howdy! Welcome to our community of more than 130.000 members devoted to web hosting. This is a great place to get special offers from web hosts and post your own requests or ads. To start posting sign up here. Cheers! /Peo, FreeWebSpace.net
managed wordpress hosting

.htaccess hacked

apnakohat

apnakohat

New Member
Hello,

Today couple of websites on my server were redirecting to some other website, after investigating the issue I have noticed that some one have modified the .htaccess file which was redirecting to some other website. I have also noticed that Last Login IP in cpanel was totally different IP then mine. Can anybody please tell me why this was happened i am running APF Firewall on cpanel/whm server. I Would appreciate if some one will help me fixing this security threat.

Note: Mod_Security also installed on server.


-Regards.
 
Do you have open_basedir protection on? What about the PHP shell functions, do you have them disabled?
 
hamster said:
Do you have open_basedir protection on? What about the PHP shell functions, do you have them disabled?
Click to expand...


open_basedir protection is enabled. Regarding PHP shell functions I don't have any idea, But i know that php safe mode is OFF.
 
Ok I just noticed that you said the last login IP was totally different from yours. That probably means that your password was too weak or someone managed to get ahold of it.
 
hamster said:
Ok I just noticed that you said the last login IP was totally different from yours. That probably means that your password was too weak or someone managed to get ahold of it.
Click to expand...

nope password was way to difficult it was like combination of A$(*)455_ something like that :D

Should I enable php safe mode?
 
Your website would not compromise your cPanel account in any way. The only way your cPanel could've accessed is if someone knows your password.
 
It seems that someone have hacked your password, I don’t think it’s a server side security issues. I will advice you to change all required passwords such as for your WHM/cpanel, FTP etc….. also block that culprit IP using iptables.
 
apnakohat said:
nope password was way to difficult it was like combination of A$(*)455_ something like that :D

Should I enable php safe mode?
Click to expand...

It's quite possible that someone may have seen you type in your password, or used a key logger or possibly even bashed the keyboard and guessed it (However unlikely this is) Maybe someone found out an exploit in cPanel / WHM and gained access. Maybe it was your host (If you don't run the server yourself)

The long and short of it is, those files would have been changed using either SSH or cPanel. Both of which use the same account login details.

The fix;

I guess it really comes down to changing your password, change the port that SSH runs on and update cPanel / WHM to LATEST STABLE and most importantly, use IPTABLES to block the IP address that was different to yours and see how you go.
 
[UW]Glenn;1053391 said:
It's quite possible that someone may have seen you type in your password, or used a key logger or possibly even bashed the keyboard and guessed it (However unlikely this is) Maybe someone found out an exploit in cPanel / WHM and gained access. Maybe it was your host (If you don't run the server yourself)
Click to expand...

That all sounds like logical explanations. It could have been your host. It's best to check with your host to see if they have any suggestions.

I know there was an exploit a while back that allowed hackers to compromise the .htaccess files on the servers, but that should have been fixed by now.

Also, if you have a complicated password, then it will be more difficult for someone to guess or bash it. Perhaps your computer was compromised and there were key loggers installed.
 
The compromising of the .htaccess file wouldn't explain why his cPanel was hacked into as well :S
 
hamster said:
The compromising of the .htaccess file wouldn't explain why his cPanel was hacked into as well :S
Click to expand...

Maybe it was the host that logged into cPanel, and it wasn't actually compromised. It's worth checking in on that at least to help narrow down what happened.
 
You must log in or register to reply here.
Back
Top