Reply To: htaccess files keep getting inserted

Home Forums Support Forum htaccess files keep getting inserted Reply To: htaccess files keep getting inserted


Anti-Malware Admin
Key Master

This is, unfortunately, a fairly typical situation you are describing. If you are hosting many sites on a shared hosting account with any of the major mass-hosting providers then one small break on any one site can lead to a massive widespread infection on all your sites. The main issue is that there is absolutely not internal security protecting all your sites from crossover contamination. Once you have a self-replicating threat on your account it simply copies itself to to every directory that it has access to (which is essentially all the folders on all your sites). At which point, the all the infected sites collaborate in rapidly re-spreading this threat into any place where you might be temporarily successful at removing it.

Therefore, the only way to remove this type of threat is a well-timed all-encompassing mas-removal of every infection on every site at the same time, thus removing any chance it might have to reduplicate. My plugin can be useful in removing these threats from a whole site very quickly but you sill have to make sure that each site is cleaned at the same time so that they cannot reinfect each other. If even one of these active scripts is missed then you will soon find yourself right back where you started.

Ideally, you would have a hosting environment that could “chroot” (isolate and make a virtually separate filesystem for) each site so that they cannot infect each other. This would make it easy to clean each site and keep them from getting reinfected. Then you could quickly ascertain which or your sites was responsible for this breach and work towards patching the original exploit. But this screamingly obvious solution goes against the ease of access that you and your hosting provider have grown accustomed to, and it would cripple you current control panel access. Think of like this, your control panel is nothing more than a set of PHP scripts that give you full control over all the sites on your account; any malicious planted on your site has the exact same access and therefore the same control over all your site.

I know this is not the simple solution you were probably hoping for, but I wanted to paint a picture of the true nature of the unfortunate position you find yourself in so that you can start to understand the complexity of the many tactics that you might employ to combat this problem. With the understanding that this infection is exacerbated by the lax security of your hosting provider and multiplied by the sheer number of sites that you have on this account, I see two main approaches for you to take:

a. Move all, or most, or at least some of your sites to another (hopefully more secure) hosting provider in order to compartmentalize your infection so that it is easier to treat in smaller doses.

b. Devote a lot of energy and effort into a full-scale coordinated attack against every threat on your system at once, being aggressively vigilant and relentless on every front until you have squashed your opponent completely.

With each of these approaches there are many different branches which can more or less effective depending on the nuances of your specific variant. The import thing to remember in your specific circumstance is that there are at least three objectives:

1. The most obvious damage to your sites are these .htaccess files, which are crippling each site and clearly need to be removed in order to restore normal functionality.

2. More important are the PHP scripts that are injected into various hiding places with your sites normal code, which are responsible for creating all those .htaccess files and also replicating themselves into other parts of your site and probably your other sites as well. All these must be removed together to ensure that none are left to make more clones all over again.

3. Most importantly, you need to find the security vulnerability or exploit that allowed the original threat to be planted on your account in the first place. Unfortunately, this is also the hardest part of the process and also might only be able to be found by a skilled professional and/or maybe only after repeated breaches and further re-infections which might reveal a pattern or leave a trail back to the open door.

I realize this might have created more questions that it has answered for you so please feel free to write back if you need more clarity or help with any specific problems you encounter.