Forums

WordPress › Support » How-To and Troubleshooting

.htaccess attack (6 posts)

  1. BonRouge
    Member
    Posted 1 year ago #

    Hi there,
    I was hit by this thing: http://forum.joomla.org/viewtopic.php?p=2260562 (I mean the attack, not Joomla).
    In my attempts to clean up - delete all the .htaccess files and the 30,000 or so files that had been hidden in folders called .log, as well as removing code that had been inserted in most of .html files, I guess I damaged WordPress. I'm hoping someone can help me get it working again.

    Here's the situation: the home page loads fine, but none of the links go anywhere - well, they go to a Firefox warning page. I tried to fix it by upgrading to the latest version of WordPress (from an older, but I'm not sure which one now). This didn't help.

    I have a back-up of the database and the 'theme' files seem to be OK (possibly/maybe)...

    Any ideas what I can do?

    Thanks for any help.

  2. Roy
    Member
    Posted 1 year ago #

    Start here:
    http://codex.wordpress.org/FAQ_My_site_was_hacked

  3. BonRouge
    Member
    Posted 1 year ago #

    Thanks for the link.

    As I mentioned, I upgraded after I did the 'repairs'. I'm guessing an automatic upgrade would do the same jop as copying files from the latest zip file. Would that be right?

  4. Roy
    Member
    Posted 1 year ago #

    I guess so, but I must admit that I'm not 100% sure. When the auto upgrade was just implemented I asked a couple of times what the auto upgrade did exactly, but I never got a straight answer. I don't know if files are overwritten, if only new files are overwritten, old files deleted and in what order things go. If I were you, I'd go for manual, just so you're sure what files are replaced and what not. Also, just replacing WP files isn't going to do the trick. It's a patch rather than a sollution. Be sure to scan for backdoors, etc. as mentioned in the link that I gave you.
    Perhaps this comes in handy:
    http://wordpress.org/extend/plugins/exploit-scanner/

    Also, when you're done, read this:
    http://codex.wordpress.org/Hardening_WordPress

    And as closing remark, I really wonder how someone got to edit your htaccess file. I can't imagine that this was done through WP (hense the Joomla link). In the meantime I've read some articles about the vulnerabilities of htaccess, not sure what I want with that info :-)

  5. BonRouge
    Member
    Posted 1 year ago #

    Thanks for all that. I'll do what I can.

    I don't know how this hacker works either, but if you want to read more, he leaves a calling card: http://www.google.com/search?q=%23+exgocgkctswo

  6. BonRouge
    Member
    Posted 1 year ago #

    Hi. I think I've done most of the things that I can - changed passwords, made new 'secret keys', deleted all the files and code that appear, etc. - but new files are still appearing. They keep appearing in a folder called '.log' in the wp-admin folder. This makes me think that it might be related to WordPress in some way. (I guess maybe I should start removing plugins too).

    But also, I've tried replacing lots of files with lots of files from the new zip file (even though I had a already upgraded). And I've compared the files in the zip file to the files on my server, and none are missing. But, The blog itself is in the same situation - I have a good home page but the links all go to 404. The links themselves look correct, so the links haven't been tampered with.

    I'm wondering if I could delete the whole blog and re-install the software (through my cPanel) and use my backed-up database and theme. There's probably some information on the forums about this, and to be honest, I haven't searched for it, but I hoping there's a better solution.

    Thanks for any help.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags