How To Fix and Remove network-teaser.ru – Website Hacked

A few hours ago one of my zencart e-commerce websites was hacked and a new re-directing virus code was added to the website. After a bit of research I found out that this little redirecting malicious code has been causing problems on numerous other websites around the internet, mainly e-commerce websites.

So I thought I would do a post to help out other webmasters that might be dealing with this little piece of annoying code.

What this virus does is add or edit your existing .htaccess file on your server and then sets up several redirects back to the main website which is network-tease.ru. This code is easy to find if you open your htaccess and then scroll ALL the way to the bottom of the file (for any new comers to website hosting, the htaccess file is typically hidden and you will need to show hidden files in the ftp program or cpanel to see it), in my case the code didn’t appear until around line 276.

This virus also changes the permission of the htaccess to 444, which means that in order to delete it, overwrite it, or update it, you will need to change the file permissions to 644. If you don’t know how to do this, just post a quick comment and I will walk you through it. Unfortunately, I can not do a blanket “how to change permission guide” because each host and ftp is different.

Once you have changed the permissions, then you will want to edit your htaccess file and delete the coding out and then restore your old htaccess rules or restore a back of your htaccess file. If you didn’t use htaccess in the first place, just delete the file then.

That is all you need to do, no other files are affected on your server, thankfully…  so you can breathe without worry of any other corrupted files.

Hopefully this post helps the other webmasters find the source of the malware and get it fixed fast without too much down time.

Please feel free to post a comment or contact me if you are having any problems.

** Just an update on this article –

To stop this from happening again, there are a few things you should do to prevent htaccess hacking.

First off, add this code to the htaccess file which prevents remote access editing of the htaccess file

# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

<Files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</Files>

Then after you have added this to the htaccess, then change the file permissions to 444. That should now stop all htaccess hack attempts.