Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 10 Aug 2011, 21:46
daydie's Avatar
daydie daydie is offline
 
Join Date: Oct 2007
.htaccess deleting it self

whats going on with my forums my .htaccess is deleting it self.

Some1 hacked my FTP and changed my forum directory to /TriiX, I Noticed, change FTP password and fixed, now i put .htaccess, 20min later its gone from my FTP.

How is this possible? please help i think its deleting it self.
Reply With Quote
  #2  
Old 10 Aug 2011, 21:51
HMBeaty HMBeaty is offline
 
Join Date: Sep 2005
Real name: Brooks
Have you changed all of your passwords? Server? FTP? etc?
Reply With Quote
  #3  
Old 10 Aug 2011, 21:53
daydie's Avatar
daydie daydie is offline
 
Join Date: Oct 2007
just changed Godaddy account pass, so that and FTP are now "safe" im not sure how they gained access in first place.

hopefully it wont delete now >.< (Also changed forum admin password)

Is it common for only .htaccess to delete it self?
Reply With Quote
  #4  
Old 10 Aug 2011, 21:54
HMBeaty HMBeaty is offline
 
Join Date: Sep 2005
Real name: Brooks
Originally Posted by daydie View Post
just changed Godaddy account pass, so that and FTP are now "safe" im not sure how they gained access in first place.

hopefully it wont delete now >.< (Also changed forum admin password)

Is it common for only .htaccess to delete it self?
No.
Reply With Quote
  #5  
Old 10 Aug 2011, 22:02
nhawk nhawk is offline
 
Join Date: Jan 2011
It looks like you'll need to upload the original index.php file for vBulletin again. And make sure there is no other index file in the main site folder.

The one that's there could very well be deleting the file.
Reply With Quote
  #6  
Old 11 Aug 2011, 02:29
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Real name: Lynne
Are you sure you don't have your ftp client set to not show invisible files? If you can't see invisible files, you won't be able to see your .htaccess file. Also, does godaddy allow you to have .htaccess files?
__________________
Former vBulletin.org Staff Member

Try a search before posting for help. Many users won't, and don't, help if the question has been answered several times before.
W3Schools -
Online vBulletin Manual
If I post some CSS and don't say where it goes, put it in the additional.css template.
I will NOT help via PM (you will be directed to post in the forums for help.)
Reply With Quote
  #7  
Old 11 Aug 2011, 07:07
daydie's Avatar
daydie daydie is offline
 
Join Date: Oct 2007
yeah, my site been working fine now. must of been some1 accessing my godaddy account on the web. thanks anyways guys aprichate it

--------------- Added 11 Aug 2011 at 07:12 ---------------

Just saw my index file and it has this:

<html>

<head>

<!--

Well done for being able to read the source code.



MSN - root@unloyal.co.uk

Email - im@purv.org



~~ TriiX

-->

<style type="text/css">

body {

background-image: url(http://www.purv.org/deface.jpeg);

color: white;

}



h1 {

color: red;

}

</style>

<SCRIPT LANGUAGE="JavaScript">

var text=" [root@secureserver]~ cat message.txt<br> \

Good evening, David.<br> \

You're on a secure host? Uh-oh, I don't think so!<br> \

The index is the only page I have touched, nothing else.<br>Consider this a warning<br> \

If you can't secure a forum, then don't run one.<HR> \

Want help to secure it? Via being a techy or a host? Alternately, want to cry?<br> \

<b>MSN - root@unloyal.co.uk<br>Email - im@purv.org</b> \

I'll be waiting to hear from you.<br><br> \

Much love<br> \

TriiX \

<br><br><br> \

[root@secureserver]~ logout";

var delay=50;

var currentChar=1;

var destination="[none]";

function type()

{

//if (document.all)

{

var dest=document.getElementById(destination);

if (dest)// && dest.innerHTML)

{

dest.innerHTML=text.substr(0, currentChar)+"_";

currentChar++;

if (currentChar>text.length)

{

currentChar=1;

setTimeout("type()", 9000);

}

else

{

setTimeout("type()", delay);

}

}

}

}



function startTyping(textParam, delayParam, destinationParam)

{

text=textParam;

delay=delayParam;

currentChar=1;

destination=destinationParam;

type();

}

</SCRIPT>

<title>GreeTz</title>

</head>

<body>

<div align="center">

<iframe width="1" height="0" src="http://www.youtube.com/embed/zOopudSHS0c?autoplay=1" frameborder="0" allowfullscreen></iframe>

<h1><b>Hacked by TriiX</b></h1><br>

<DIV ID="txt">

<SCRIPT LANGUAGE="JavaScript">

javascript:startTyping(text, 50, "txt");

</SCRIPT>

</div>

</div>

</body>

</html>

--------------- Added 11 Aug 2011 at 07:13 ---------------

How the hell has he done this?

Is Vbulletin secure? i have the latest and latest patch, Is it v bulletin or GoDaddy that is vulnerable?

Is their any way he can change index source without accessing FTP?
Also Is it possible he can access config somehow to see data to get password? im kind of worried now. If my forum grows and this happends im ++++ed. =/

Last edited by daydie; 11 Aug 2011 at 07:35.
Reply With Quote
  #8  
Old 11 Aug 2011, 11:51
nhawk nhawk is offline
 
Join Date: Jan 2011
It's GoDaddy not vB.

I had something similar happen a couple of years back with another type of site. The site ran fine for nearly 8 years on a dedicated server, but due to the economy the owner decided to move the site to GoDaddy to save money. Within one month of the move the site was hacked in a similar manner. It was not hacked with FTP, or by obtaining any of the site passwords. It was hacked directly from root access to the server. The site was immediately moved back to a dedicated server under my control and the site has never been hacked since.

Despite what they say, in my opinion GoDaddy does not secure their servers very well. That's entirely my opinion and not intended to bash them.

But keep in mind whether on a dedicated server or a shared server, security is always the responsibility of the site owner not the provider.

Last edited by nhawk; 11 Aug 2011 at 11:56.
Reply With Quote
  #9  
Old 11 Aug 2011, 12:11
daydie's Avatar
daydie daydie is offline
 
Join Date: Oct 2007
never, how can i prevent this?

Your exactly rite, im speaking to the hacker but he wont tell me know. He said something about Shell i dunno.

I really need to stop this. He can do ANYTHING he wants.

--------------- Added 11 Aug 2011 at 12:26 ---------------

i think its because its shared, he said any site in shared hosting on my account, can lead to ssh exploit or something and can access all files on that server and databases

balls. i dunno wot to do.
Reply With Quote
  #10  
Old 11 Aug 2011, 12:38
setishock setishock is offline
 
Join Date: Feb 2008
You need to find another host like PDQ. Quit playing with them.
__________________
Working on new projects and expanding our horizons. Come by and see what we're up to now.
Reply With Quote
  #11  
Old 11 Aug 2011, 15:00
KProjects KProjects is offline
 
Join Date: Feb 2006
Have you contacted godaddy about it? It sounds like he has root access to the server therefore can simply cd into your (or anyone else on that shared server) docroot and change whatever he wants.

Tell godaddy to secure their server or switch to a better host.
__________________

Stop Spammers
Reply With Quote
  #12  
Old 11 Aug 2011, 23:44
daydie's Avatar
daydie daydie is offline
 
Join Date: Oct 2007
ive asked them, they simply said:

The compromise of your account is outside of the scope of security that we provide for you. Virus scans are performed on the content that is hosted, but they may not pick up everything, largely due to the fact that hackers tend to upload custom scripts which are not picked up by traditional malware scanners. However, if a virus is detected, you will be notified.
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 14:39.

Layout Options | Width: Wide Color: