{"id":3131,"date":"2016-03-04T22:56:26","date_gmt":"2016-03-05T05:56:26","guid":{"rendered":"http:\/\/www.dresan.com\/blog\/?p=3131"},"modified":"2017-04-08T20:48:41","modified_gmt":"2017-04-09T03:48:41","slug":"so-it-was-a-hacked-htaccess","status":"publish","type":"post","link":"https:\/\/dresan.com\/blog\/2016\/03\/04\/so-it-was-a-hacked-htaccess\/","title":{"rendered":"So it was a hacked .htaccess&#8230;"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/www.dresan.com\/blog\/wp-content\/uploads\/2016\/03\/hacked-htaccess.png\" width=\"600\" height=\"490\" alt=\"hacked-htaccess.png\" \/><\/p>\n<p>So, the Dakota Frost site got hacked. May still be hacked, for all I know, because I just found and eliminated only one error, and I still haven\u2019t found out how they got in. Of course, I changed all my passwords everywhere else first before logging into the site, confirming no-one had hacked the user accounts, and then downloading all the code for some forensics.<\/p>\n<p>But what was peculiar was that, even though I could clearly see evidence of hackery thanks to the very nice, publicly available Webmaster tools at the Google, I could not see any difference between the live site and my previous backup except for the addition of the Akismet spam filter, which I\u2019m pretty sure I did myself.<\/p>\n<p>Then I found it, when I detected a strange file named kgcakmhg.php. Tracing it back, in the root of the HTML directory, someone had modified files back in February &#8211; first to point the .htaccess to a strange file named baccus-contextually.php, which called the weirdly named file and also relied on changes to the style directory. No changes to the blog code were necessary &#8211; everything was being rewritten before it got there.<\/p>\n<p>Removing those files? Easy. Site\u2019s back to normal \u2026 I guess. Closing the open barn door? Uh \u2026harder. Since I don\u2019t know which door they came through.<\/p>\n<p>Off to do more debugging \u2026<\/p>\n<p>-the Centaur<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So, the Dakota Frost site got hacked. May still be hacked, for all I know, because I just found and eliminated only one error, and I still haven\u2019t found out&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[197,1,198],"tags":[59,5,3],"class_list":["post-3131","post","type-post","status-publish","format-standard","hentry","category-fiction","category-uncategorized","category-urban-fantasy","tag-spam-investigations","tag-we-call-it-living","tag-webworks","ratio-2-1","entry"],"_links":{"self":[{"href":"https:\/\/dresan.com\/blog\/wp-json\/wp\/v2\/posts\/3131","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dresan.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dresan.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dresan.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/dresan.com\/blog\/wp-json\/wp\/v2\/comments?post=3131"}],"version-history":[{"count":1,"href":"https:\/\/dresan.com\/blog\/wp-json\/wp\/v2\/posts\/3131\/revisions"}],"predecessor-version":[{"id":3743,"href":"https:\/\/dresan.com\/blog\/wp-json\/wp\/v2\/posts\/3131\/revisions\/3743"}],"wp:attachment":[{"href":"https:\/\/dresan.com\/blog\/wp-json\/wp\/v2\/media?parent=3131"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dresan.com\/blog\/wp-json\/wp\/v2\/categories?post=3131"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dresan.com\/blog\/wp-json\/wp\/v2\/tags?post=3131"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}