UPDATE
Hello again,
I’ve changed the permissions on the .htaccess file back to “644”.
My permalinks seem to be writing o.k.
I guess the change you have to make the .htaccess file to change permissions should only need to be done once to make them “777” so that WP can write your permalinks correctly.
After this change I guess you are supposed to change the back to the super safe “644” or lower.
The codex did not specify this process or the danger in having them at “777” all of the time.
I’ve also changed all account and FTP passwords for the site that was defaced. My host notified my of an “anti-virus” malware that was able to obtain users’ account info to exploit WP and the .htaccess file.
I’ve swept all machines that FTP to this site and none have issues, malware, defects, or infections.
I don’t understand how the .htaccess file was modified remotely. I’m waiting on my host to provide log information on how this was done, but haven’t heard back yet. Does anyone have any advice or insight into how this was done? I also don’t see where any of the other files in the blog are touched or altered. I’ve read so much about the exploiting of the .htaccess file to either pass variables through it using .php scripts, or to bring up false “anti-virus warnings”, but I seem to have none of these symptoms.
The blog is still working properly but I fear this could happen again.
I seem to have everything buttoned up, but I’m not sure.
Again, any advice or help would be greatly appreciated.
Sincerely,
Dick
Hi,
The “777” is very dangerous. Any scripts can modify such files. This is only needed if you want WP Admin to change your “.htaccess” files, but when the change is done you should revert the files to the normal “644” asap. Actually, if you know how to edit files on server, you don’t have to change parmissions to “777” – WP would provide you with the code you need to add to your .htaccess file yourself.
I’ve seen many site with hacked .htaccess files lately. Unfortunately, none of webmasters I talked to couldn’t provide sufficient information (i.e. the file owner and permissions, madification date, etc) so I can’t figure out how the file was modified/created in the first place.
Please, please, if you find a compromised .htaccess file, check the modification date, file permissions and the file owner. If you don’t know how to do it, contact your hosting company. This information can help identify whether your account is compromised (you are the owner of the file and only you can modify it) or it was done by some script. Then search the access logs (http and ftp if available) for any activity happened around the modification time. If you want to share this info you can send it to me here( http://www.unmaskparasites.com/contact/)
Dick, I’m really interested in anything your host finds regarding the issue.
So far I can only suspect that FTP passwords were somehow intercepted and suggest that you use SFTP instead of FTP if your hosting plan provides SFTP access.
So far I can only suspect that FTP passwords were somehow intercepted and suggest that you use SFTP instead of FTP if your hosting plan provides SFTP access.
somehow? Considering the fact that servers using cpanel, by default, use the same password for FTP as mysql, as their cpanel login — how incredibly difficult is it to get said password?
Not very. Upload a PHP shell to the site, and open one’s wp-config.php
If the user has NOT created another db user and is still using the cpanel username — there you go.
In other words, one doesnt have to overthink how passwords get stolen.
Well, but how one would upload the the PHP shell script? I’ve seen this exploit on pure html no-db sites.
I’ve seen this exploit on pure html no-db sites.
Were they the only website running on that box? Or were they using shared hosting, like 90% of websites are?
777 means that anybody on that server can write to the file. So if any site on that entire server got hacked, then they can run a script which searches through all the files on the system and attempts to hack them.
So yes, 777 is very much insecure. Normally you leave directories at 755 and files at 644. The few exceptions to these sort of permissions should be weighed very carefully.
Hello all,
Thanks for everyone’s time in providing feedback about my problem.
I appreciate the explanations of all things .htaccess.
UseShots – Yeah, I also think something was intercepted.
While the host has not offered any help with providing evidence of when the file was modifed and by whom, they have offered the explanation that there is some “worm” that does this by way of google and/or malware that is installed on one’s machine locally.
The only thing I did that was any different than my normal blog usage before the hack was to use the “instant-upgrade” plugin where I did not transfer the command/install via SSL. I don’t know if this is how the FTP credentials were intercepted or not, but it’s the only thing that stands out that I did myself.
Also, I have still found no malware on any machine that connects to this site via FTP. My content is hosted on a shared server and not a standalone IP or physical machine. The host admits to having a problem with this, but says that it happened remotely, and with nothing on their end causing the problem.
I have changed my .htaccess file’s permissions to a safer level and have had no problems since.
I also read a lot about similar scenarios like mine where only half of the hack works, meaning the php script that is embedded into the .htaccess file does not work for some reason. While this brings/brought the blog down, whatever else that was meant to be malicious did not occur for some reason.
It seems as if there are about 3 variants of this hack.
Luckily I didn’t have a lot of trouble recovering.
Weird.
thanks again,
Dick
any more information on this? i have a feeling this happened to my wordpress site? the htaccess file was changed twice in 24 hours. seems like a couple extra characters of text was added at the bottom of the file, basically causing entire site to go down. my htaccess file is set to 644 permissions. so it goes a little contrary to what people are saying here. the first time it happened, i thought i might have accidentally changed my htaccess file b/c i was mucking around with it the night before. but then it happened again and i definitely didn’t do anything.
here’s my main question. it seems the “Last Modified” date on my htaccess file updates every 30 minutes or so. is that normal?? seems like it’s not. i’m running wp 2.7, with pretty permalinks. i have a dozen or so plugins installed but haven’t installed any in over a week. this started happening yesterday. re: the fact that our db password seems to be in plain sight in the wp-config.php file, that seemed a little odd wordpress would be coded that way when i first set it up. is there something we can do to make it more secure so the password isn’t available to the world. now that you brought it up, it’s kinda scary.
i’m running some virus scans on my local machines and changed my ftp password. though, even after i changed my ftp password the htaccess Last Modified time continues to update every 30 minutes or so… hopefully, someone out there has additional measures i could take?
Very strange. Contact your hosting provider. Let them check FTP logs.
You can try to set .htaccess permissions to 444. You can restore write permissions when you really need to modify it.
The same thing that themauirob mentioned is happening to me as well… My .htaccess file keeps getting the letters “ess” added to the end of it.
The first time, the permissions were whacked on it and I had to get my host to reset it. It’s happened one more time since then and I’ve been able to edit the letters out.
This time I reset the permissions to 644, we’ll see if it happens again?
I just came across a client wp site that was hacked in a similar way. The .htaccess file was modified to redirect any incoming traffic from search engines to another site…
I checked and the date of modification matched the date of 2 plugin files… the hello.php plugin was modified and a new file – probably the hackers file as it’s gzipped code wrapped in php – anuka.php was added…
Searching anuka.php on Google gave a few other sites’ open directories – all WP sites with anuka.php put in various plugin places… though no explanation of what it actually is… this seems to be something recent as Googled file dates for anuka.php start about 2 months ago.
Hi there,
I´m experiencing the same problems with my website. The .htaccess file keeps getting messed up, always a line split or extra characthers on the end of a sentence. This brings the entire site down.
I´ve contacted my webhosting services for help. In the meantime changed all passwords and users. I notice something – my .htaccess files keeps getting messed up everytime I update certain plugins like wordpress stats and Yak.
The solution so far – changed passwords and .htaccess permissions to 444. Let´s see…
Well YAK doesn’t have any need to touch the .htaccess file, so it’s not likely to be that.
Same thing happening to one of my sites.
I went to my website to find it was down with a 500 server error.
Checking the error logs I found the following:
[Fri Oct 9 08:33:53 2009] [alert] [client ] /MYSITE/.htaccess: Invalid command ‘ss’, perhaps mis-spelled or defined by a module not included in the server configuration
So I realised that, like TheJester12, I also got letters added to the end of my .htaccess file. In this case “ss.”
I edited out the “ss” and all seems well. But of course we paranoid web-types know that you can’t just hope everything is well so I googled and found this forum thread.
I wonder what all has been compromised and if there will be more trouble.
I my case my file permissions were set to 644 so I don’t see how it could be a problem with the file settings of my .htaccess file.
Weird.
I am having a similar problem on one of my client wordpress site it happened twice in last 2 days that the site started giving 500 Internal Server Error and when i checked the .htaccess i find out a ss in last line i don’t know how it was inserted there.
So anybody got succeed in getting this issue solved?
i had a lonely s in my .htaccess file causing the same error you had.
how does that get in there?
permissions are set to 644
