1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

.htaccess Edit

Discussion in 'Black Hat SEO' started by linkdropper4, Mar 4, 2011.

  1. linkdropper4

    linkdropper4 Junior Member

    Joined:
    Jun 11, 2010
    Messages:
    131
    Likes Received:
    113
    Occupation:
    Large Ecommerce Company That would Kill Me For Say
    Location:
    USA - Midwest
    So I read this forum a lot and I never see anything I really consider blackhat. Most of the stuff I see is grey hat at most.

    I have been hacked a few times where someone edits my .htaccess file and sets up a redirect such that all the traffic I receive from a search engine is redirected to a site selling Viagra.

    Now it pisses me off when that happens, but at the same time that is so freaking smart... and it is blackhat 100%.

    Anybody know how to do this? I can find stuff all over the internet about preventing it which is dandy, now I can avoid doing it, but the idea is genius and I want to do it.
     
  2. godsfriend

    godsfriend Registered Member

    Joined:
    Dec 27, 2008
    Messages:
    80
    Likes Received:
    37
    simple htacess-hacking isn't possible, as far as I know.
    I would say your cpanel-login was hacked, or somebody
    pxssed your site... and that is blackhat 99%!

    There is no smartness by stealing others accounts!

    Don't expect to get further info here. It could be bad karma.
    For you and the forum. Hehe,..
     
  3. wickedguy

    wickedguy Supreme Member

    Joined:
    Jul 22, 2009
    Messages:
    1,402
    Likes Received:
    1,379
    Location:
    BHW--> South Africa
    Home Page:
    That's not blackhat, not even 0%!!

    It is hacking and stealing!

    Blackhat is NOT about stealing, it is about beating and tricking the SE!
     
    • Thanks Thanks x 1
  4. geezer466

    geezer466 Regular Member

    Joined:
    May 5, 2009
    Messages:
    307
    Likes Received:
    59
    Suggest you find some new hosting or at least sort out your login/password problem...
     
  5. linkdropper4

    linkdropper4 Junior Member

    Joined:
    Jun 11, 2010
    Messages:
    131
    Likes Received:
    113
    Occupation:
    Large Ecommerce Company That would Kill Me For Say
    Location:
    USA - Midwest
    What the hell they just got me again. This is crazy. Changed all the passwords, ensured HTACCESS on all domains was 644 so some PHP script couldn't write to it. Still rewrote all of my htaccess. Whoever owns sndoctor.com is smart even if they are a hacking thief.
     
  6. gimme4free

    gimme4free Executive VIP Jr. VIP Premium Member

    Joined:
    Oct 22, 2008
    Messages:
    1,881
    Likes Received:
    1,932
    Check the files on your site, you probably have a backdoor somewhere.
     
  7. shudogg

    shudogg Regular Member

    Joined:
    Sep 23, 2008
    Messages:
    412
    Likes Received:
    153
    Occupation:
    Internet Marketing
    Location:
    Indiana
    Home Page:
    You probably have a shell (AKA: backdoor) script on your site somewhere. Possibly some system/script on your site has a vulnerable hole which allows the hacker to upload a malicious script to your site. This is done through RFI (Remote File Include), XSS, ect. You probably have a script on your site that allowed the attacker to upload a shell script such as the c99 shell (most widely known, but detectable).

    Another possibility is you downloaded a RAT (AKA: Trojan, backdoor, keylogger). A RAT is a virus that allows the attacker to connect/control your computer at any time. They can do whatever they what, so long as it is a feature of the rat. Such as log keystrokes, pull up saved passwords, turn on webcam, microphone, lock keys, mouse, run/upload files.. Basically they control your entire computer. They could have gotten your login details for your site (cpanel, whm, or FTP) by logging your keystrokes.

    Another possibility, if your on a shabby hosting service and someone else on the same server as you got rooted (a shell uploaded, or some other method of gaining root access to the server), and the web hosting provider sucks as security, allowing them to traverse to your user account as well. This is less likely, but possible.

    I am sure there are some other possible explanations as well. Maybe some weird wordpress plugin you added to a site...? Who knows, theres dozens of ways. The above are generally the most common.

    Oh, also, if the server is not secured properly, they could have public FTP access allowing this as well.

    DO THIS:

    If you have root access (ie: on a dedicated server) you can install a rootkit detector or backdoor detector (same thing). It is kind of like an antivirus scanner, only for your web server. It will detect most rootkits (unless, encrypted/obfusculated and not publicly spread). Remove any rootkits. Inspect all sites, scripts, services running to ensure it isn't a possible entry point. You could track through log files if you have root access to the server, patience, and experience to know what to look for. This would help you find exactly how they got in so you know where your hole is. Only experienced users with this kind of stuff and server security will be able to do this.

    If you aren't on a dedicated server (your on a shared hosting), then contact them and tell them what is going on, and ask them to scan the server for rootkits. There isn't much you can do (aside from finding the vulnerable script, or finding the actual shell/rootkit laying on your server.. if it even is there)

    If you know the exact time the attack happened (look at .htaccess modified time), then look at the server access log file to at that exact time frame to find what urls were accessed on your server, you may be able to find the cause. If the issue is the access through public FTP and your on a shared server, then the webhost will have to fix that as root access is required to change this setting.

    If it is due to a RAT/keylogger on your computer.. then honestly, format the computer. Yeah, you can use a good antivirus, even 5 different ones. Kill all startup apps, clean it the best you can. But you never are 100% sure it is gone. People can have apps bind to known processes (explorer.exe which is required) so it will never show in the startup list, and you will never find it in taskmanager process list... Just backup, and format. You can never be too safe.

    Get on a friends computer, or computer you know can't possibly be infected. Go and change all your passwords ect. (it is dumb to do this on your PC if they are keylogging you, lmao they will see your new passwords). Might as well change bank passwords, paypal passwords, and anything else you don't want someone getting into. You don't know how much they have seen.


    Some may say this is overkill... Ok, if you know 100% it is on your server and not a virus on your computer, fine.. But if your not positive, then just do it. You haven't seen half the shit I have, its pretty fucked up what people can do. Just some advice..
     
    • Thanks Thanks x 2
  8. Santini

    Santini Junior Member

    Joined:
    Mar 10, 2011
    Messages:
    123
    Likes Received:
    17
    Location:
    London, England
    Fantastic post Shudogg, thank you. I don't have these problems but you never know when they may happen so I have copy and pasted into my personal troubleshooting guide. I