strange htaccess hack

sam1111
(@sam1111)

11 years, 7 months ago

A website i built for a client is continually being downed on a fairly regular basis (~4-5 times a week) by a corrupted htaccess file. This causes it to display a 500 internal server error. Whenever it happens i just replace the htaccess file with the original and it works fine (short term fix).

The htaccess file seems to get randomly jumbled up a little differently each time it happens. Some times it will simply add an extra ‘>’ and sometimes it will duplicate random chunks of code (examples below)

I have found numerous threads describing similar problems (with ‘s’ or ‘ss’ added to the end of the htaccess file etc.) but none exactly like what I am encountering.

Original htaccess:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

——————————————-
Corrupted htaccess example 1:

# BEGIN WordPress<<IfModule mod_rewrite.c>RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

———————————————
Corrupted htaccess example 2:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
———————————————

Any ideas?

Viewing 6 replies - 1 through 6 (of 6 total)

Moderator bcworkz
(@bcworkz)

11 years, 7 months ago

Something on the server is improperly modifying the file, possibly improperly placing an End Of File marker, causing older file versions to leak into the current one. Or any other kind of read/write error. It might be a typo in a parameter sent to the Rewrite API, causing an instability. It could also be something else on the server modifying the file, unrelated to WordPress at all.

Could even be something that shouldn’t be there, like malware trying to cover it’s tracks. Best to run a scan just to be sure.

Thread Starter sam1111
(@sam1111)

11 years, 7 months ago

Thanks for the reply bcworkz.

I scanned for malware with sucuri but it didnt find anything.

as far as a typo in a parameter sent to the Rewrite API… I havent hand written any of the php. I’m guessing a parameter could be a page name, category, display type etc. I dont understand how a typo could exist when I only type the name of the page in once, to name it and I choose categories/display types from a list of available options.

Is there anyway to find out what is modifying the file? Is there an activity log or something I could check next time it happens to see what was running immediately before the file was modified?

Also I tried to change the permissions so that the htaccess file is read only but the changes dont seem to save. I’m using a mac, when i open the file access properties of the htaccess file on the server through ftp I can uncheck all the ‘write’ boxes and click ok, but when i reopen the permissions its reverted back to its original settings. What am I doing wrong?

Thanks again and any additional help would be greatly appreciated 🙂

Thread Starter sam1111
(@sam1111)

11 years, 7 months ago

After reading into it a bit more it seems that even if i do set the htaccess file’s permission to 444, whatever it is on the server thats causing the issue can just chmod htaccess to 666 itself and proceed to modify it. So there goes that idea.

I guess my only option is to locate the little troublemaker… But I’ve got no idea how i’d even go about that

Thread Starter sam1111
(@sam1111)

11 years, 6 months ago

Hello bcworkz,

Ive taken an error log since the last time the site went down and it has showed the below: (these are only a few as pasting all 300 was too large)

[Tue Oct 09 12:42:53 2012] [error] [client 110.175.129.156] File does not exist: /home2/thewinds/public_html/404.shtml

[Tue Oct 09 12:42:53 2012] [error] [client 110.175.129.156] File does not exist: /home2/thewinds/public_html/favicon.ico

[Tue Oct 09 12:32:38 2012] [alert] [client 110.175.129.156] /home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters

[Tue Oct 09 12:29:43 2012] [alert] [client 203.59.80.110] /home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters, referer: http://www.google.com.au/url?sa=t&rct=j&q=windsor%20south%20perth&source=web&cd=3&ved=0CDAQFjAC&url=http%3A%2F%2Fthewindsorsouthperth.com.au%2F&ei=96dzUJi-PMyYiAf9tYCIDg&usg=AFQjCNHc2qq-wkWrUQ3lVNQRkiwoMwbp-A

[Tue Oct 09 12:29:39 2012] [alert] [client 203.59.80.110] /home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters

[Tue Oct 09 12:29:08 2012] [alert] [client 203.59.80.110] /home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters, referer: http://www.bing.com/search?q=windsor+south+perth&qs=n&form=QBRE&pq=windsor+south+perth&sc=1-19&sp=-1&sk=

[Tue Oct 09 12:28:45 2012] [alert] [client 203.59.80.110] /home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters, referer: http://www.bing.com/search?q=windsor+pub+menu&FORM=AWRE

[Tue Oct 09 12:10:06 2012] [alert] [client 165.187.10.37] /home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters, referer: http://www.bing.com/search?q=windsor+hotel+south+perth&src=IE-SearchBox&Form=IE8SRC

[Tue Oct 09 12:09:52 2012] [alert] [client 165.187.10.37] /home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters, referer: http://www.bing.com/search?q=windsor+hotel+south+perth&src=IE-SearchBox&Form=IE8SRC

[Tue Oct 09 12:09:52 2012] [alert] [client 165.187.10.37] /home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters, referer: http://www.bing.com/search?q=windsor+hotel+south+perth&src=IE-SearchBox&Form=IE8SRC

[Tue Oct 09 12:09:43 2012] [alert] [client 203.11.225.5] /home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters, referer: http://www.google.com.au/url?sa=t&rct=j&q=the+windsor+hotel+perth&source=web&cd=2&ved=0CCoQFjAB&url=http%3A%2F%2Fthewindsorsouthperth.com.au%2F&ei=f6NzUKq8JcWqrAe3voDQDQ&usg=AFQjCNHc2qq-wkWrUQ3lVNQRkiwoMwbp-A

[Tue Oct 09 12:09:43 2012] [alert] [client 203.11.225.5] /home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters, referer: http://www.google.com.au/url?sa=t&rct=j&q=the+windsor+hotel+perth&source=web&cd=2&ved=0CCoQFjAB&url=http%3A%2F%2Fthewindsorsouthperth.com.au%2F&ei=f6NzUKq8JcWqrAe3voDQDQ&usg=AFQjCNHc2qq-wkWrUQ3lVNQRkiwoMwbp-A

[Tue Oct 09 12:09:09 2012] [alert] [client 150.70.172.200] /home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters

[Tue Oct 09 12:08:11 2012] [alert] [client 203.11.225.5] /home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters, referer: http://www.google.com.au/url?sa=t&rct=j&q=windsor+hotel+perth&source=web&cd=2&ved=0CDoQFjAB&url=http%3A%2F%2Fthewindsorsouthperth.com.au%2F&ei=AKNzUIjwD4vOrQfAs4CICg&usg=AFQjCNHc2qq-wkWrUQ3lVNQRkiwoMwbp-A

[Tue Oct 09 12:07:40 2012] [alert] [client 203.11.225.5] /home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters, referer: http://www.google.com.au/url?sa=t&rct=j&q=windsor+hotel+perth&source=web&cd=2&ved=0CDoQFjAB&url=http%3A%2F%2Fthewindsorsouthperth.com.au%2F&ei=AKNzUIjwD4vOrQfAs4CICg&usg=AFQjCNHc2qq-wkWrUQ3lVNQRkiwoMwbp-A

[Tue Oct 09 12:07:36 2012] [alert] [client 203.59.228.72] /home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters, referer: http://www.google.com.au/url?sa=t&rct=j&q=the%20windsor%20south%20perth&source=web&cd=2&sqi=2&ved=0CCoQFjAB&url=http%3A%2F%2Fthewindsorsouthperth.com.au%2F&ei=BKNzUOmHE-SOiAeyjICQCQ&usg=AFQjCNHc2qq-wkWrUQ3lVNQRkiwoMwbp-A

[Tue Oct 09 12:07:34 2012] [alert] [client 203.11.225.5] /home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters, referer: http://www.google.com.au/url?sa=t&rct=j&q=windsor+hotel+perth&source=web&cd=2&ved=0CDoQFjAB&url=http%3A%2F%2Fthewindsorsouthperth.com.au%2F&ei=AKNzUIjwD4vOrQfAs4CICg&usg=AFQjCNHc2qq-wkWrUQ3lVNQRkiwoMwbp-A

[Tue Oct 09 12:07:05 2012] [alert] [client 203.11.225.5] /home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters, referer: http://www.google.com.au/url?sa=t&rct=j&q=windsor+hotel+perth&source=web&cd=2&ved=0CDoQFjAB&url=http%3A%2F%2Fthewindsorsouthperth.com.au%2F&ei=4KJzUND6EoyHrAfjjYDwBQ&usg=AFQjCNHc2qq-wkWrUQ3lVNQRkiwoMwbp-A

[Tue Oct 09 12:06:55 2012] [alert] [client 101.119.30.230]
/home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters, referer: http://thewindsorsouthperth.com.au/windsor-functions/

[Tue Oct 09 12:06:31 2012] [alert] [client 170.252.160.1] /home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters

[Tue Oct 09 12:06:30 2012] [alert] [client 170.252.160.1] /home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters, referer: http://thewindsorsouthperth.com.au/gluten-free-menu/

[Tue Oct 09 12:06:30 2012] [alert] [client 170.252.160.1] /home2/thewinds/public_html/.htaccess: RewriteCond: bad flag delimiters, referer: http://thewindsorsouthperth.com.au/gluten-free-menu/

Sorry I know its a lot to paste. I was just wondering if you could help me further with this issue, ive been trying to solve it for months now. I still cant seem to locate the issue, and would even know where to start looking for something that may be re-writing the htaccess file. Im willing to pay for professional help if you do this?

PLEASE HELP 🙂

MickeyRoush
(@mickeyroush)

11 years, 6 months ago

Have you tried Wordfence yet?

http://wordpress.org/extend/plugins/wordfence/

melonesti
(@melonesti)

11 years, 6 months ago

Yes, I have the same issue we both have tried Wordfence but no luck 🙁

I think it has something to do with the Easy restaurant Menu Manager Plugin (according to another programmer). But i would know how to fix it?

Any idea’s?

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘strange htaccess hack’ is closed to new replies.

strange htaccess hack

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics