Latest LQ Deal: Latest LQ Deals
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 04-10-2009, 04:14 AM   #1
LQ Newbie
Registered: Oct 2006
Posts: 7

Rep: Reputation: 0
Site compromised...htaccess modified

I host a few sites on my own server and recently one of them was compromised. I was alerted by Google that they were dropping me from their index due to hidden links. Upon further inspection I found that my .htaccess file was altered with:

RewriteCond /home/sitename/public_html/mailer/incladd.php -f
RewriteCond %{REQUEST_URI} !incladd.php$
RewriteCond %{REQUEST_URI} !ca0272.php$
RewriteRule ^.*\.(php[s345]?|[ps]?html?).*$ /mailer/incladd.php?file=%{SCRIPT_FILENAME}&%{QUERY_STRING} [NC,L]

I am removed the files and so far things are ok.

My question is what would allow this type of thing to happen? I assume my username and password would have to be known to do this?

Any suggestions on starting points where I should look to fix things?

As well I need to get my site reindexed as it is important to me and I was thinking of hiring some kind of outside service to review my server setup security wise. Any recommendations on such service providers that are reasonably priced?
Old 04-10-2009, 08:11 AM   #2
Senior Member
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065Reputation: 1065
Your .htaccess file(s) should be owned by root, group apache and mode should be 0640 for starters (the mode can be 0644 but probably better 0640). Generally, the files and directories in your htdocs directory ought to be owned by root, group apache (or root) and mode set as restricted as necessary to be usable (but no public read, write or execute) -- this depends upon the application, but generally directories can be mode 0750 and files mode 0640 unless the files need to be executable in which case you want to set them to 750 (start with the most restrictive and change mode(s) if things don't work right).

Check your log (probably /var/log/messages) to see if somebody managed to guess a password and get into your system. You're looking, mostly, for log entries that contain the pattern sshd or password.

If somebody did guess a password, you've got some work to do -- first, change the root password to a pattern containing letters, punctuation and digits at least eight characters long. Look at /etc/shadow (this is where the passwords are actually stored); it should look pretty much like this
user accounts start here
All that gobbledygook on the first line is the encrypted root password; the only account (other than user accounts) that should have a password in this file is root -- all the rest should be an asterisk!

Consider installing DenyHosts (, which dynamically identifies bad actors and denies them access to your system with entries in /etc/hosts.deny; it also shares bad actors world-wide with other DenyHosts users (so you get a pretty good list of hosts to deny access to your system).

Consider installing IPTABLES country ban entries; ban at least China, Korea and possibly Russia, Bulgaria, Japan, India and Pakistan (where most of this crap comes from). You can get appropriate entries for doing this at

Nobody (no user) needs read-write access to your htdocs tree -- including "you." Review the owner, group and mode settings and change them if needed. Change all your passwords (letters, punctuation and digits) and force your users to do the same (see the -e option for the passwd utility). If you have dead accounts, use the -i or -d option for the passwd utility to disable them.

Hope this helps some.
Old 04-10-2009, 10:15 AM   #3
Registered: Jan 2002
Location: Labrador, Canada
Distribution: CentOS, Debian
Posts: 182

Rep: Reputation: 35
It sounds like bhm8hwcm is doing virtual hosting (more than one domain) with webroots at /home/*/username/public_html. So the security of Apache's htdocs directory isn't really the issue here.

A quick google for "incladd.php" turns up lots of similar incidents. The cause is most likely an exploited web script running on the affected domain, possibly Joomla or an addon or some other CMS/blog/forum package.

What I'd suggest you do is:

- Take the site offline now before it creates more trouble.
- Research "incladd.php" to find commonalities with your setup, to identify the source of the problem. Fixing .htaccess is not a solution, it will happen again.
- Rebuild the site from scratch, uses the latest version of all web applications. Be very wary of any third-party modules.

Regards to ownership and permissions, all files and directories should be owned by the account user. Permissions for files should be no higher than 644 (including .htaccess), and directories no higher than 755.

Some CMSs/blogs/forums instruct you to chmod .htaccess to 777 so that the setup script can write to it. Once the setup is done you should immediately change .htaccess permissions to 644, or else you're wide open to this kind of exploit. Any file or directory that is writable by Apache can lead to trouble if you are running a web application that has known exploits.

Last edited by sleddog; 04-10-2009 at 10:20 AM. Reason: Bad link


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
apache .htaccess file...Is my site safe? jimbo1708 Linux - Security 7 08-15-2007 08:57 AM
apache2 vhost site makes default site inaccessible jyamada1 Linux - Server 4 01-17-2007 09:42 PM
web site directory security? .htaccess or httpd.conf Moonman Linux - Software 0 03-03-2006 09:51 PM
Compromised? I can't tell. Chuck23 Linux - Security 11 02-15-2005 08:33 AM
Am I compromised? dripter Linux - Security 5 01-27-2004 01:31 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:27 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration