Re: .htaccess is being written on the website without my permission
Colton J. Provias
Feb 7, 2012 3:21 PM
Posted in group:
Malware & hacked sites
redleg: My website has been clean after removing dotProject and in turn wp-raikc.php.
BBSD: If I recall, DreamHost runs apache as the same user as your FTP/Shell account. Thus the script will still have the ability to reset the permissions of .htaccess. Also, have you checked the code for everything within the same user account? By running multiple websites on one account, a script has access to everything that account has access to.
Also, looking at my access.log file, the calls to wp-raikc.php came in pairs separated by a second or two. Every one had the same user agent ("Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"). They all were POST calls to wp-raikc.php and returned successful. Each pair alternates with the numbers 391 and 286. And finally, about half of the requests come from an IP address of the following format: 188.120.*.*
Example line from my access.log:
188.120.*.* - - [06/Feb/2012:16:22:29 -0800] "POST /dotProject/wp-raikc.php HTTP/1.1" 200 391 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
188.120.*.* - - [06/Feb/2012:16:22:30 -0800] "POST /dotProject/wp-raikc.php HTTP/1.1" 200 286 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"
(IP Address hidden in case it's a computer being used as a proxy)
So my recommendation would be to check your access.log file (located in the logs folder in your shell account if you are on DreamHost).