WTF

[Leo(T.C.K.)]

Did someone hack Unrealtexture.com? It redirects me to http://tabletpillsmeds,com/

I checked the ftp and the files seem to be there, but wtf is this redirect.

EDIT: Looks like main site works, but the user subsites still redirect to that crap.

 

[Diehard]

Yes the site somehow got hacked, and my host is investigating the issue.

I looked all over to find what is going on, and just an hour ago i found out that the .htaccess file got compromised and it contained the follow lines:

Options -Indexes
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*baidu.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*youtube.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*wikipedia.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*qq.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*netscape.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*hotbot.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*goto.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mamma.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*alltheweb.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*lycos.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*metacrawler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*dogpile.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*facebook.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*twitter.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*blog.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*myspace.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*linkedin.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*infoseek.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*mail.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ya.*$ [NC]
RewriteRule .* http://tabletpillsmeds,com [R,L]
ErrorDocument 401 http://tabletpillsmeds,com
ErrorDocument 403 http://tabletpillsmeds,com
ErrorDocument 404 http://tabletpillsmeds,com
ErrorDocument 500 http://tabletpillsmeds,com

I changed the meds.com into meds,com to prevent it will gain ranking in Google. (You should edit your post in the same manor Leo)


I cleaned out the file and it seems to have solved the issue for the moment. But what i would like to know is how they got access to the site and were able to change that file.

All the passwords will be changed and that also includes the passwords for all the FTP accounts. But i am waiting for my host to have them tell me where the site was breached.

In the meantime i did remove several functions and databases on the site that could have caused the illegal access to the site. But it might also be possible they used an exploit through the forums, and they are gonna be updated as well, but thats a bit more tricky.


On itself no real damage was done seems, except for the retarded redirect to that other site. They also hid it for me simply by keeping the site itself functional. So only clients on the site that get an 400-500 error handling are being redirected. And that also includeed any section on the site that has no direct linkage to the mainpage, hence the fact your section was affected too.
.
.
.

 

[Leo(T.C.K.)]

Let me know after you change the passwords through email, so I can still get to my stuff etc. Maybe you should change host, or somehow host it yourself? That is if possible, it seems this host isn't too reliable to me.

 

[Diehard]

Yeah no worries, if i change the passwords, than ill notify you upfront with the new data. As for the host, it is so far the most reliable host i had, and this host does allow a monster bandwidth and a sheer endless inodes on the site, where most hosts have a 50000 inode limit. And UnrealTexture uses 163000 inodes, so i cant complain. And before the site was split it consumed over 500 gig of bandwidth a month. And thats alot, and they never complained.


And though my knowledge is limited on site related stuff. Theres a chance that they somehow got hold of the password due to a virusinfection on my computer. Or its an exploit that used the forums to gain access. In both cases its not the host its fault.


And a possible infection on my system is difficult to check right now. And that slows down everything because i need a clean system to change all passwords.


And in the past i had a similar problem on the CelticWarriors site. There too an exploit on the forums was used. And when that happened the host went down completelly. All sites they were hosting including the gameservers and parts of GoDaddy went down. The exploit was used to transfer petabytes of data, that much the whole company went down for a couple a days.


You cannot always blame the host, and right now its unclear to me whos to blame. But at the end its ass that broke in the site that caused it......
.
.
.

 

[Leo(T.C.K.)]

Well, I have heard some bad things about such hosts (someone called it scam), but yeah for people who are not real network experts and who need so much of bandwidth or space I guess it is a good solution, but I wouldn't trust the host blindly either. But so many sites use such hosts anyway, but then again they are often seen to go down in years or have troubles..

This is kind of puzzling though, but I may know of someone who has a lot of technical skills regarding that and perhaps even help you hosting the site or mantaining it. Although not sure if he would want, but he has the skills there to do it all properly or help you hosting it on yourself, without relying on third party companies.

Just thoughts/suggestions.

 

[Diehard]

According the FTP logfiles on March 16th 2011 they made an attempt to switch the .htaccess file but failed for whatever reason. They did a second attempt on March 19th 2011 which was successfull. It does mean they must have gotten my logindata somehow, and i suspect they got it in November last year when i already was forced to reinstall my computer due to a nasty infection.


It will take a at least a few days to deal with the whole situation because i need to reinstall my computer just to make sure its not infected right now. And everything on my end already was slow due to my illnesses, and this aint helping of course. But as soon as have reinstalled everything ill change all the passwords.


Hosting myself is not an option. My ISP clearly forbid it, which was also the reason i never really was able to run larger Unreal servers. Officially i am not even allowed to run a TeamSpeak server. In that respect my IPS sucks alright.


But aside that, i did run a few illigal servers in the past untill i got the powerbill for them. And electra overhere is that much expensive that its alot cheaper to rent a server or website.
.
.
.

 

[Leo(T.C.K.)]

I thought anyone can host a server really. I mean for me it was just matter of port fowarding on the router but I can run servers, I run a server for the Daikatana game now, from this laptop. not 24 hours server of course, but if I had machine I could use for 24 hour run I would do so.

 

[GreatEmerald]

Home PCs usually don't have a connection that is fast and reliable enough to host a server on. Especially this demanding.

 

[Leo(T.C.K.)]

Home PCs usually don't have a connection that is fast and reliable enough to host a server on. Especially this demanding.

I talked about game server only in the last case.

 

[GreatEmerald]

Well, you're right about the "anyone can host a server" part, but clearly not one that stores all those giant URP/UTRP files