My site was hacked, htaccess file compromised, what should it look like?

Question

A website I maintain pro-bono was hacked, dishing out 302s to gaming sites, etc. www.rebekahshouse.org. After much searching through my hosting company's control panel, I found the culprit in the htaccess file. It looked something like this:
RewriteEngine on
RewriteCond %{HTTP_REFERER} .oogle.com [NC,OR]
RewriteCond %{HTTP_REFERER} .ahoo.com [NC,OR]
RewriteRule .*hxxp://87.248.180.89/topic.html?s=s- [C,L]

(I think that was C, L; I overwrote it and tried to recreate it above, might've missed a piece here and there)

Anyway, I overwrote it with this:

order allow,deny deny from all

Is this going to anything for me? What SHOULD I have in my .htaccess file? This is purely a static html site.

Thanks!

Answer 1

No, that won't do anything for you. For a static site you may not need a .htaccess file at all.

Answer 2

If you're running a static site its highly likely you don't need anything in your .htaccess. You should then workout how your site actually got hacked...as if you haven't resolved that it's just going to happen again.

Answer 3

Your real concern should be how it happened in the first place. Defacers and such often go back and will try the same thing again on a previously cracked site, since many times the vulnerability isn't fixed.

Answer 4

The htaccess file is incidental. You have been hacked by one of the Russian malware gangs. If you don't close the hole that allowed the hack to happen, you will just get hacked again.

It is entirely possible that the server itself is compromised and there is more stuff on it you don't know about, such as trojan software that might not only deface your sites, but also launch attacks on others, send spam, and so on. Assuming appropriate permissions on the directory containing the htaccess file, it should not have been possible to write a file there even if you have an insecure web application on there. Certainly if you are only dealing with static files the only way such a file could have got there is by your uploading account, or the server itself being compromised.

If it's your server, as I'm guessing from the fact it responds to a direct query by IP address, you need to flatten it and reinstall from up-to-date software, use new passwords, and check your own client machines you're uploading from for infections.

Answer 5

The first part will redirect all visitors coming in from yahoo and google to 87.248.180.89

The second part ("allow, deny") will deny access to your site for everybody.

I suggest to simply delete the .htaccess and be done with it.

Answer 6

step 1 : change FTP password Step 2 : Download all files and clean Step 3 : upload Files Step 4 : Set 444 permission to all files, except Custom Upload folders

Remeber Do not save FTP password in your FTP client If you suspects that your system is infected, Format and install OS, then install a good antivirus + firewall. I suggest Avast free edition and Comodo Firewall.

We have received many inquiries and we cleaned those infected sites. If your site is infected Please contact us

Best Regards, Team HelloSystemadmin.com