Automated backup recovery script added to the cron jobs

We figured out that the .htaccess files were getting hacked about every 71 minutes, with a few random exceptions. We could not keep running my automated script every hour so I made a bash script from the command line and set up a cron job to run the script once every minute. If it found any differences between the .htaccess file and the .htaccess.bak file then it would overwrite the changes immediately, and send us an email.

Tags: , , ,

2 Comments on "Automated backup recovery script added to the cron jobs"

  • On August 7, 2013 at 10:14 pm, Will Chapman said:

    Two incidents happened yesterday – first my main sitebegan throwing 403 errors. On investigation I found that index.php permissions were set at 0. Quick fix, rset to 644 and all was well.

    A few hours leter, another site began throwing 403 errors. A quick look via ftp failed to show any files with no permissions so I checked .htaccess and at the top of the file I found:
    deny from all
    allow from 86.152.223.55
    allow from 81.152.4.150
    allow from 86.147.223.27
    …followed by the usual Word Press instructions

    According to Project Honeypot all of these IP's seem to be bonafide however as this was the only .htaccess containg those lines (in my 6 websites) I blocked them out by starting the 4 lines with #. Result: website working normally again.

    Was I hacked or is there some other explanation?

    Regards

    Will

    Reply
    • On August 7, 2013 at 11:02 pm, Anti-Malware Admin said:

      It sounds like you were hacked.

      For your .htaccess file to block all acceess except for a few choice IP addresses would not normally be a desirable setup.

      Funky permission is a common side effect of some hacker techniques.

      When you find a file that may have been tampered with your should check the modified time of that file and compare it too entries in your error log, raw access log, and FTP log for coinsiding events that may tell you how the file was modified.

      Did my plugin pick up any Know Threats on a Complete Scan?

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>