.htaccess file overwritten – new form of malware?

Hi Cynthia,
Thanks for sending me a login and attaching those files. I registered my plugin on this site using your email address and downloaded the latest Definition Updates. I don’t have enough time to finish scanning but it was already finding some threats before I got cut off.

Could you run a Complete Scan and click the Automatic Fix button on those threats that it finds. Then see if the site is clean of if there are still infections that were missed?

I’ll try again later when I can get back online.

Aloha, Eli

I’ll take another look. I’m running a Complete Scan now.

I would suggest deleting the oldsite_032313 backup folder and any other tainted backups.

I’ll let you know what I find …

Thanks for that, it really speeds up the scan and I think there could have been other hacked files in that backup folder too.

I have added the htaccess hack to my Definition Updates so that it can be automatically fixed without you having to delete it and manually recreate it if it gets hacked again. I sill have not found the root cause of this hack or any specific vulnerability that could be letting the hacker reinfect your site. I will keep looking but it would be most helpful if a can look at the hacked files right after they are infected and before they are fixed or modified, so that I can get an accurate timestamp of when they were changed. Then we can search the raw access log file to see it there is any evidence of how they were changed.

Those two theme files you mentioned look fine:
wp-content/themes/classic-theme3/gallery-single-template.php
wp-content/themes/classic-theme3/gallery-template.php
I’m not sure why they were updated but it would seem they were modified responsibly (possibly an update/upgrade).

There is also a folder called newsite_b4_port that may have a whole other installation of WordPress in it. This could have it’s own vulnerabilities, do you know if it serves a purpose or if it can be removed as well?

Aloha, Eli

Cynthia,
Just 20 minutes ago your site was reinfected with the same files being added to the root directory as before. However, the .htaccess file was unaffected this time. It would seem your permission change you made to that file has had the desired effected of protecting it that you had hoped it would. Furthermore, the nearness of this this latest attack to the present may give us some incite into the source or root cause of the repeated infection.

caramaple,
As I am still working on this one I cannot say a have a solution for you just yet. However, just as Cynthia has stated my plugin should be able to remove the effects of this hack and restore your site to it’s normal functioning until the root cause can be determined. Once I find the cause I will release a Definition Update that should help you find and repair the root vulnerability.