bonjour a tous
j ai repris le gestion du site suite a des piratages et grace a votre aide j ai reussi a securise de nombreux sites.
voila j avais un site osmcs-international.com ou le nom de domaine a ete supprime et le bandit avait detourne ce site de donations en en recreeant un autre similaire a osmcs-international.com le site detournant les fonds est https://www.templiers-chevaliers.com/
Pour cela le fichier .hataccess a ete detourne avec des redirections vers sont site
je ne suis pas sur de ce la
voici les lignes du fichiers qui me semeblent douteuses
================================
edirect 301 /espace-perso/(Wosmcsizzp4762018W).html https://www.osmcs-international.com/(zwsqrtgbvltracedutimonlielertysdepkemmsutghdctpomnjwqaztrdvfrutzsdfatyuttioplmlefremiolkjertyebcazaxwsqueamnanxdfiqwspmloifdsnettessfilesysyyyrfdgLM755LPOLNGTRDSAQWXCVBFTYOt5678hup51mlhgfd14saq65ww).html
Redirect 301 /espace-perso/((HM01osmcsizzp476rubens)).html https://www.osmcs-international.com/(zwsqrtgbvltracedutimonlielertysdepkemmsutghdctpomnjwqaztrdvfrutzsdfatyuttioplmlefremiolkjertyebcazaxwsqueamnanxdfiqwspmloifHM01YTdsnettessfilesysyyyrfdgLM755HM01YTLPOLNGTRDSAQWXCVBFTYOt5678hup51mlhgfd14saq65ww).html
Redirect 301 /espace-perso/(HM02osmcsizzp476rubensm).html https://www.osmcs-international.com/(zwsqrtgbvltracedutimonlielertysdepkemmsutghdctpomnjwqaztrdvfrutzsdfatyut002rtyplueamnanxdfiqwspmloifHM02YTdsnettessfilesysyyyrfdgLM755HM02YTLPOLNGTRDSAQWXCVBFTYOt5678hup51mlhgfd14saqkjtrmldferq65ww).html
Redirect 301 /espace-perso/(HM03osmcsizzp476rubens)).html https://www.osmcs-international.com/(zwsqrtgbvltracedutimonlielertysdepkemmsutghdctpomnjwqaztrdvfrutzsdfatyut003rtyplueamnanxdfiqwspmloifHM03YTdsnettessfilesysyyyrfdgLM755HM03YTLPOLNGTRDSAQWXCVBFTYOt5678hup51mlhgfd14saqkjtrmldferq65ww).html
Redirect 301 /espace-perso/(HM04osmcsizzp476rubensP).html http://www.osmcs-international.com/(zwsqrtgbvltracedutimonlielertzsysdepkemmsutghdctpomnjwqaztrdvfrutzsdfatyut004rtyplueamnanxdfiqwspmloifHM04YTdsnettessfilesysaqyrfdgLM755HM04YTLPOLNGTRDSAQWXCVBFTYOt5678hup51mlhgfd14saqkjtrwxmldferq65ww).html
Redirect 301 /espace-perso/(HM05osmcsizzp476rubens)a).html http://www.osmcs-international.com/(zwsqrtgbvltracedutimonlielezswiloTysutghdctpomnjwqaztrdvfrutzsdfatyut005rtyplueamnanxdfiqwspmloifHM05blYTdsnettessfilesysaqyrfdgLM755HM04lYTLPOLNGTRDSAQWXCVBFTYOt5678hupl51mlhgfd14saqkjtrwlasexmldferq65ww).html
Redirect 301 /histoire_des_templiers.html https://www.osmcs-international.com/SITE-NUIT/templiers.html
Redirect 301 /espace-perso/index.html https://www.osmcs-international.com/index.html
Redirect 301 /chevaliers-du-temple.html https://www.templiers-chevaliers.com/chevaliers-du-temple.html
===============================
a la fin de ce post je vous mets aussi tout le fichier .htacess car il y a enormement de deny et je ne suis pas sur de leur validite ???
ce site est ecrit en html et je souahite aussi savoir quels sont les autes points a verifier pour les redirections vers le faux site
ensuite pour le compte paypal il a peut etre ete chnage a son profit
je compte chercher les mot cle paypal par un grep sur le site.
les fichiers de transation paypal portant il un nom particulier svp
une fois que tout est retabli je coupe ma connexion internet et je fais marcher le site en local pour voir s il y a des liens externes apres avoir bient sur vider le cache de mon explorateur
Je vous remercie a tous de bien vouloir maider sur ces points anguleux et j ecouterai aussi vos suggestions pour la securite
Tres cordialement
=======================================
FICHIERS .htaccess
=======================================
#########################################
### redirections iphones smartphones certaines vieilles tablettes etc…
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} (android|bb\d+|meego).+mobile|avantgo|bada/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge\ |maemo|midp|mmp|mobile.+firefox|netfront|opera\ m(ob|in)i|palm(\ os)?|phone|p(ixi|re)/|plucker|pocket|psp|series(4|6)0|symbian|treo|up.(browser|link)|vodafone|wap|windows\ ce|xda|xiino [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a\ wa|abac|ac(er|oo|s-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|-m|r\ |s\ )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw-(n|u)|c55/|capi|ccwa|cdm-|cell|chtm|cldc|cmd-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc-s|devi|dica|dmob|do(c|p)o|ds(12|-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(-|)|g1\ u|g560|gene|gf-5|g-mo|go(.w|od)|gr(ad|un)|haie|hcit|hd-(m|p|t)|hei-|hi(pt|ta)|hp(\ i|ip)|hs-c|ht(c(-|\ ||a|g|p|s|t)|tp)|hu(aw|tc)|i-(20|go|ma)|i230|iac(\ |-|/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt(\ |/)|klon|kpt\ |kwc-|kyo(c|k)|le(no|xi)|lg(\ g|/(k|l|u)|50|54|-[a-w])|libw|lynx|m1-w|m3ga|m50/|ma(te|ui|xo)|mc(01|21|ca)|m-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(-|\ |o|v)|zz)|mt(50|p1|v\ )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|-([1-8]|c))|phil|pire|pl(ay|uc)|pn-2|po(ck|rt|se)|prox|psio|pt-g|qa-a|qc(07|12|21|32|60|-[2-7]|i-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55/|sa(ge|ma|mm|ms|ny|va)|sc(01|h-|oo|p-)|sdk/|se(c(-|0|1)|47|mc|nd|ri)|sgh-|shar|sie(-|m)|sk-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h-|v-|v\ )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl-|tdg-|tel(i|m)|tim-|t-mo|to(pl|sh)|ts(70|m-|m3|m5)|tx-9|up(.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(-|\ )|webc|whit|wi(g\ |nc|nw)|wmlb|wonu|x700|yas-|your|zeto|zte-) [NC]
RewriteRule ^$ https://www.templiers-chevaliers.com/templiers-mobiles/index.html [R,L]
### fin redirections iphones smartphones certaines vieilles tablettes etc…
#########################################
SetEnv PHP_VER 5_6
SetEnv REGISTER_GLOBALS 0
order allow,deny
allow from all
deny from 82.233.37.92
deny from 151.80.34.185
deny from 116.22.165.178
deny from 155.133.38.215
###FILTRE emirats AU
deny from 83.110.236.98
deny from 217.172.120.18
deny from 82.205.176.138
deny from 91.73.250.36
deny from 91.72.146.178
deny from 91.72.220.218
deny from 87.201.111.48
deny from 91.75.84.224
deny from 213.42.0.190
deny from 87.201.231.218
deny from 91.73.249.82
deny from 91.73.250.114
deny from 91.73.160.19
deny from 87.201.110.33
deny from 91.73.250.22
deny from 91.73.250.74
deny from 91.73.160.29
deny from 91.73.250.171
deny from 82.205.250.226
deny from 91.72.146.192
deny from 91.73.183.224
deny from 194.170.223.44
deny from 91.72.147.254
deny from 91.75.190.222
deny from 91.75.85.235
deny from 91.75.241.158
deny from 195.229.41.195
deny from 195.229.41.205
deny from 91.73.38.94
deny from 91.73.249.211
deny from 91.75.85.235
deny from 87.200.254.115
deny from 91.73.160.41
deny from 91.72.147.138
deny from 91.72.220.180
deny from 92.99.176.138
deny from 213.42.212.211
deny from 213.42.212.220
deny from 91.73.160.64
deny from 91.74.247.141
deny from 213.42.212.214
deny from 213.42.212.209
deny from 91.75.144.85
deny from 91.72.146.111
deny from 91.73.183.244
deny from 80.227.12.90
###FIN FILTRE emirats AU
deny from 197.214.252.6
deny from 46.118.115.181
deny from 45.35.105.105
deny from 176.31.39.23
deny from 46.161.9.15
deny from 176.31.39.23
deny from 83.152.248.146
deny from 58.62.235.141
deny from 46.161.9.32
deny from 88.172.71.143
deny from 46.118.155.156
deny from 199.19.29.116
deny from 86.241.167.73
deny from 176.168.192.252
deny from 178.33.217.31
deny from 88.124.220.32
deny from 176.184.128.53
deny from 144.217.
deny from 46.161.
deny from 37.168.189.2
deny from 66.249.76.62
deny from 66.249.69.229
deny from 51.15.56.110
deny from 104.168.170.97
deny from 173.201.196.35
deny from 37.187.73.139
deny from 186.202.161.96
deny from 177.87.228.2
deny from 200.161.245.162
deny from 200.161.245.163
deny from 223.197.130.159
deny from 92.235.42.212
deny from 87.192.220.172
deny from 85.132.8.106
deny from 113.66.40.162
deny from 113.119.4.105
deny from 137.74.132.80
deny from 146.185.223.252
deny from 149.202.86.188
deny from 23.229.70.147
deny from 23.106.18.16
deny from 104.129.18.183
deny from 155.94.250.39
deny from 185.104.184.119
deny from 185.104.184.122
deny from 192.69.253.87
deny from 146.88.193.146
deny from 31.184.238.34
deny from 104.254.93.69
deny from 185.104.184.117
deny from 192.198.118.204
deny from 5.188.210.9
deny from 5.188.210.7
deny from 23.106.201.178
deny from 192.227.216.137
deny from 185.130.184.230
deny from 185.104.184.115
deny from 185.130.184.198
deny from 167.160.72.148
deny from 167.160.69.21
deny from 23.244.120.171
deny from 185.130.184.238
deny from 196.17.240.184
deny from 107.150.23.173
deny from 46.166.143.115
deny from 46.166.143.110
deny from 204.44.65.93
deny from 203.161.185.194
deny from 107.181.78.155
deny from 5.188.210.43
deny from 89.249.65.22
deny from 170.246.152.21
deny from 177.91.179.102
deny from 185.130.184.254
deny from 5.59.142.64
deny from 185.212.171.147
deny from 107.181.78.172
deny from 45.43.206.105
deny from 46.166.143.100
deny from 207.189.0.
deny from 199.34.83.146
deny from 185.130.
deny from 185.17.149.142
deny from 31.3.251.
ErrorDocument 404 /error_404.html
Redirect 301 /espace-perso/(Wosmcsizzp4762018W).html https://www.osmcs-international.com/(zwsqrtgbvltracedutimonlielertysdepkemmsutghdctpomnjwqaztrdvfrutzsdfatyuttioplmlefremiolkjertyebcazaxwsqueamnanxdfiqwspmloifdsnettessfilesysyyyrfdgLM755LPOLNGTRDSAQWXCVBFTYOt5678hup51mlhgfd14saq65ww).html
Redirect 301 /espace-perso/((HM01osmcsizzp476rubens)).html https://www.osmcs-international.com/(zwsqrtgbvltracedutimonlielertysdepkemmsutghdctpomnjwqaztrdvfrutzsdfatyuttioplmlefremiolkjertyebcazaxwsqueamnanxdfiqwspmloifHM01YTdsnettessfilesysyyyrfdgLM755HM01YTLPOLNGTRDSAQWXCVBFTYOt5678hup51mlhgfd14saq65ww).html
Redirect 301 /espace-perso/(HM02osmcsizzp476rubensm).html https://www.osmcs-international.com/(zwsqrtgbvltracedutimonlielertysdepkemmsutghdctpomnjwqaztrdvfrutzsdfatyut002rtyplueamnanxdfiqwspmloifHM02YTdsnettessfilesysyyyrfdgLM755HM02YTLPOLNGTRDSAQWXCVBFTYOt5678hup51mlhgfd14saqkjtrmldferq65ww).html
Redirect 301 /espace-perso/(HM03osmcsizzp476rubens)).html https://www.osmcs-international.com/(zwsqrtgbvltracedutimonlielertysdepkemmsutghdctpomnjwqaztrdvfrutzsdfatyut003rtyplueamnanxdfiqwspmloifHM03YTdsnettessfilesysyyyrfdgLM755HM03YTLPOLNGTRDSAQWXCVBFTYOt5678hup51mlhgfd14saqkjtrmldferq65ww).html
Redirect 301 /espace-perso/(HM04osmcsizzp476rubensP).html http://www.osmcs-international.com/(zwsqrtgbvltracedutimonlielertzsysdepkemmsutghdctpomnjwqaztrdvfrutzsdfatyut004rtyplueamnanxdfiqwspmloifHM04YTdsnettessfilesysaqyrfdgLM755HM04YTLPOLNGTRDSAQWXCVBFTYOt5678hup51mlhgfd14saqkjtrwxmldferq65ww).html
Redirect 301 /espace-perso/(HM05osmcsizzp476rubens)a).html http://www.osmcs-international.com/(zwsqrtgbvltracedutimonlielezswiloTysutghdctpomnjwqaztrdvfrutzsdfatyut005rtyplueamnanxdfiqwspmloifHM05blYTdsnettessfilesysaqyrfdgLM755HM04lYTLPOLNGTRDSAQWXCVBFTYOt5678hupl51mlhgfd14saqkjtrwlasexmldferq65ww).html
Redirect 301 /histoire_des_templiers.html https://www.osmcs-international.com/SITE-NUIT/templiers.html
Redirect 301 /espace-perso/index.html https://www.osmcs-international.com/index.html
Redirect 301 /chevaliers-du-temple.html https://www.templiers-chevaliers.com/chevaliers-du-temple.html
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.)$ https://www.osmcs-international.com/$1 [R=301,L]
####################################################
###FILTRE CONTRE CERTAINS ROBOTS DES PIRATES
RewriteEngine On
## EXCEPTION: TOUS LES ROBOTS MEMES ANONYMES OU BANNIS PEUVENT ACCEDER A CES FICHIERS
RewriteCond %{REQUEST_URI} !^/robots.txt
RewriteCond %{REQUEST_URI} !^/sitemap.xml
##
RewriteCond %{HTTP_USER_AGENT} ^-?$ [OR] ## ANONYMES
RewriteCond %{HTTP_USER_AGENT} ^curl|^Fetch\ API\ Request|GT::WWW|^HTTP::Lite|httplib|^Java|^LeechFTP|lwp-trivial|^LWP|libWeb|libwww|^PEAR|PECL::HTTP|PHPCrawl|PycURL|python|^ReGet|Rsync|Snoopy|URI::Fetch|urllib|WebDAV|^Wget [NC] ## BIBLIOTHEQUES / CLASSES HTTP DONT ON NE VEUT PAS. ATTENTION, CELA PEUT BLOQUER CERTAINES FONCTIONS DE VOTRE CMS. NE PAS TOUT EFFACER, MAIS CHERCHEZ LE NOM DE LA CLASSE HTTP CONCERNEE (DEMANDEZ AUX DEVELOPPEURS DE VOTRE CMS). CETTE LISTE BLOQUE 80% DES ROBOTS SPAMMEURS. IL FAUT LA CONSERVER.
## RewriteCond %{HTTP_USER_AGENT} [1]{10,}|[2]{15,}|[3]{19,}|[4]{3,}\ [a-z]{4,}\ [a-z]{4,} [OR] ## CEUX QUI INVENTENT DES NOMS AU HASARD, RETIREZ LES 2 DIESES EN DEBUT DE LIGNE POUR L'ACTIVER
RewriteRule (.) - [F]
### FILTRE CONTRE XSS, REDIRECTIONS HTTP, base64_encode, VARIABLE PHP GLOBALS VIA URL, MODIFIER VARIABLE _REQUEST VIA URL, TEST DE FAILLE PHP, INJECTION SQL SIMPLE
RewriteEngine On
RewriteCond %{REQUEST_METHOD} (GET|POST) [NC]
RewriteCond %{QUERY_STRING} ^(.)(%3C|<)/?script(.)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.)(%3D|=)?javascript(%3A|:)(.)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.)document.location.href(.)$ [OR]
RewriteCond %{QUERY_STRING} ^.(%24&x). [NC,OR]
RewriteCond %{QUERY_STRING} ^.(127.0). [NC,OR]
RewriteCond %{QUERY_STRING} ^(.)(%3D|=)(https?|ftp|mosConfig)(%3A|:)//(.)$ [NC,OR] ## ATTENTION A CETTE REGLE. ELLE PEUT CASSER CERTAINES REDIRECTIONS RESSEMBLANT A: http://www.truc.fr/index.php?r=http://www.google.fr ##
RewriteCond %{QUERY_STRING} ^.(_encode|localhost|loopback). [NC,OR]
RewriteCond %{QUERY_STRING} ^(.)GLOBALS(=|[|%[0-9A-Z]{0,2})(.)$ [OR]
RewriteCond %{QUERY_STRING} ^(.)_REQUEST(=|[|%[0-9A-Z]{0,2})(.)$ [OR]
RewriteCond %{QUERY_STRING} ^(.)(SELECT(%20|+)|UNION(%20|+)ALL|INSERT(%20|+)|DELETE(%20|+)|CHAR(|UPDATE(%20|+)|REPLACE(%20|+)|LIMIT(%20|+)|CONCAT(%20|+)|DECLARE(%20|+))(.)$ [NC]
RewriteRule (.) - [F]
### DES FAUX URLS OU VIEUX SYSTEMES OBSOLETES, ON LES NEUTRALISE
RedirectMatch 403 (../|base64|boot.ini|eval(|(null)|[5]//.|/etc/passwd|^/_vti.|^/MSOffice.|/fckeditor/|/elfinder/|zoho/|/jquery-file-upload/server/|/assetmanager/|wwwroot|e107_)
# DESACTIVE LES METHODES DE REQUETES TRACE TRACK DELETE
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
RewriteRule ^. - [F]
#######################################################
################## activation du mise en cache des images+js+css 1 mois A2592000
ExpiresActive On
ExpiresByType image/gif A2592000
ExpiresByType image/jpg A2592000
ExpiresByType image/jpeg A2592000
ExpiresByType image/png A2592000
ExpiresByType image/svg+xml A2592000
AddType image/x-icon .ico
ExpiresByType image/ico A2592000
ExpiresByType image/icon A2592000
ExpiresByType image/x-icon A2592000
ExpiresByType text/css A2592000
ExpiresByType text/javascript A2592000
ExpiresByType application/javascript A2592000
ExpiresByType application/x-javascript A2592000
ExpiresByType application/x-shockwave-flash A2592000
############################################################# fin de mise en cache
######################## BEGIN Cache-Control Headers
Header set Cache-Control "max-age=2592000, public"
Header set Cache-Control "max-age=2592000, public"
Header set Cache-Control "max-age=2592000, private"
Header set Cache-Control "max-age=86400, public"
Header set Cache-Control "max-age=2592000, public"
############################# END Cache-Control Headers
#######################protect the htaccess file
order allow,deny
deny from all
###################################"
Vous bazardez tout ça, une fois qu'un site est infecté on ne peut plus faire confiance à rien.
Si vous avez un backup d'avant le piratage vous allez vous en servir, sinon récupérez éventuellement les images et décorations du site piraté.
Ensuite on efface tout dans l'hébergement. S'il y a plusieurs sites dans le même hébergement, les autres sont probablement contaminés aussi.
Effacer toutes les tables de la base de données et on repart à zéro.
merci
je n ai pas de backup d avant le sinistre car je repdnres tous les sites de mes amis
j agis avaec prudence mais j ai besoin d aide pour ces redirects dois les ùmettre en commentaires?
rien compris.
je ne possede pas de sauvegarde du site avant le piratage
je suis en train de totu reprendre et securiser au possible
merci
Vous bazardez tout ça, une fois qu'un site est infecté on ne peut plus faire confiance à rien.
Ce que Fritz2cat essaie de vous expliquer est qu'un site piraté peut l'avoir été de plus d'une façon, pas simplement quelques redirections dans le .htaccess. Lorsqu'un site est piraté, la seule chose à faire est de repartir sur un backup sain et de corriger dare dare la faille qui a permis au pirate d'entrer. Si un backup sain n'existe pas, le mieux est encore de tout refaire depuis 0.