Recovering from a .htaccess redirect hack

One of the most common attacks on websites seems to be the creation of a malicious .htaccess file.  This is normally accomplished by finding security vulnerabilities within the code running on your site.  Usually a custom PHP file is uploaded that is then executed to perform any additional functions required to carry out the attack.

If you are running a common framework or CMS such as Symphony, CakePHP, WordPress, Drupal or Joomla it is easier for the attacker to find these vulnerabilities sine the codebase is public.  Always make sure you are running the latest version of the framework you are using to help reduce security threats.  When an update is released it usually comes with a list of security fixes.  This can also be used as a list of vulnerabilities for any previous version.

If you are running your own codebase, you should perform regular security audits.  Areas to focus on are forms and areas that allow uploading or creating files.  Be sure to filter filenames to not allow directory paths, a “php” extension or the name “.htaccess”  There are plenty more things to consider, but those are outside the scope of this post.

Lets get down to business!

(Note that the commands below assume you have shell access to your site on a linux based server)

If you have been hacked with a malicious .htaccess file, you may not notice immediately.  These types of attacks are normally crafted so visiting the site directly appears to work as normal, but visiting the site from a search engine or maybe another site triggers the attack.  View your main .htaccess file to see if it looks out of the ordinary.  You can also find all .htaccess files within your site by issuing the command below from within you site root directory.

This will output something like…

You can now check one of the .htaccess files to see if there is any malicious code in it by issuing the following command…

Which may yield something like this…

Looking at the above contents of the .htaccess file, you notice that it has a RewriteRule to redirect people to http://aklmn.com/mzos.html?h=1272040  This is not something we want.  Yours will most likely be different than this, but it will be similar.  Some are a lot more sophisticated and will have a lot more RewriteCond statements.

Now we want to get rid of all these malicious .htaccess files.  Lets find a unique string in the file that we won’t have in any of our legitimate files and do a search for it.  Run the command below replacing my string with the one you picked.  In this case I picked “http://aklmn.com”

This should now show you a list of all the infected .htaccess files.  If all the files in that list can be deleted, issue the following command to delete them.  Again being sure to replace my string of “http://aklmn.com” with yours.

You have now successfully removed all your malicious .htaccess files.  If you had a custom .htaccess file, it may need to be restored from a backup.

Now that you have that fixed, figure out why it happened.  Also look for new PHP files that may have been created which will re-create the malicious .htaccess files.

3 thoughts on “Recovering from a .htaccess redirect hack

    • In this particular instance I did not look for the exploit. The site was passed on to other developers and I was designated to clean up the mess but not fix the problem.

  1. buliyo on

    The analysis of server logs helped found the problem.
    To change the file was using an infected computer. The virus took it to access data ftp accounts and then to change the files came from dedicated servers – about 15 locations.

Leave a Reply

Your email address will not be published. Required fields are marked *