Same thing just happened to me, I am running about 20 WordPress 3.3.1 sites, all of them have been hacked and are redirecting traffic to http://saveprefs.ru/astro/index.php, i really don’t want to have to restore all my sites from older backups. If anyone has a solution on how to get rid of this, I would so very much appreciate it!
Thanks
I believe the latest version of wordpress introduced this problem we’re all facing. My temporary solution until this if fix is to create a cronjob to delete the .htaccess file since it continues on getting re-created even after it is deleted.
# delete
* * * * * rm -fr ./public_html/.htaccess > /dev/null 2>&1
jamieedwards – glad i am not alone.
what are you doing to solve this? i am so confused. is i only happening to one of my wordpress sites.
it is so frustrating.
thanks for your response.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
my site is hosted by goaddy and they said that my wordpress was hacked.
chelle2711: That’s a good start but have you looked at/read and implemented any of these links?
http://sitecheck.sucuri.net/scanner/
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/
I believe the latest version of wordpress introduced this problem we’re all facing.
Nope. WordPress only attempts to create a .htaccess file when you tell it to.
# delete
* * * * * rm -fr ./public_html/.htaccess > /dev/null 2>&1
That’s… I.. just… *HEAD DESK*
If you have to keep doing this, either you are running a plugin or theme that re-creates that file (never saw that before but hey it’s possible) or more likely, your installation has been compromised. See above links for self-help.
*HEAD DESK* as much as you want, but until we know the exact hack is, we can’t say wordpress didn’t introduce it. Like I said “I believe the latest version introduced” … The reason I made that assumption was due to the fact 7 of my clients websites started having this issues right after the update to version 3.3.1. Some of these sites don’t even have any plugins but the standard wordpress install + theme. WordPress needs to figure out what the glitch is and release an update asap to address it.
Your blog being “hacked” is not a security issue. The security issue will involve knowing how the attacker got in and hacked the blog.
There are no know security issues in the current version of WordPress. Please use the resources posted above to locate, isolate and remove the hack. If, during that process, you have clear and unequivocal proof (on a site using Twenty eleven with no plugins activated) of an issue within WordPress core, please see http://codex.wordpress.org/FAQ_Security for details of how to report this correctly.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Sorry for being a little snarky.
The *HEAD DESK* comment was sincere in that that does nothing for solving the problem and doesn’t even treat the symptoms well. What other files are getting updated without your knowing it? Changing the modified time of a file is trivial and if the bad guy can create that file then they can continue to modify existing PHP files.
As Esmi says, there are no known security issues in the current version of WordPress. A more common vector for a compromise is add-on software (Tim Thumb anyone?) or an insecure server.
Getting to the bottom of any compromise involves examining web access log, syslog on your server, looking at files left by process UIDs, etc. and trying to tie it all together. It’s a metric ton of work but it’s doable. If 7 of your clients are getting this, then identify the commonality outside of the WordPress files (plugins, themes, same server, etc.)
More often than not, it’s easier to save and eyeball your data off the server, uninstall everything you do need and install minimum and currently supported versions of Apache, PHP, etc. Then re-import your confirmed sanitized data.
If you are on a shared server, then you may never get to the bottom of it.
Give those links I posted a good look through. They’re almost 100% copied from what Esmi has provided in the past.
I’m not being snarky again, If that doesn’t help you in de-lousing your WordPress installs, and you’ve clients being impacted then please consider paid help.
http://jobs.wordpress.net/
My temporary solution for deleting the .htaccess is working and I would suggest anyone having this issue to use it as a TEMPORARY solution. I rather have cronjob do this until a fix is in place. I know it doesn’t solve the problem but a solution is needed until the problem is found. I’ve tried everything and can’t find the problem. It appears it can be a problem with the shared hosting but the hosting companies don’t have a solution at the moment and they are not owning the problem. There are other folks talking about the same problem all across – http://wordpress.org/support/topic/331-hacked-by-saveprefsru-redirect?replies=36
It appears it can be a problem with the shared hosting
If you have gone through all of the steps suggested, then it will almost certainly be an issue outside of WordPress. A shared server is only as secure as its weakest script. Also, are you using unencrypted FTP? Many hackers are now targeting FTP, so always use STFP or encrypted FTP connections.
@chelle2711 did you find a solution? I have another thread going here:
http://wordpress.org/support/topic/331-hacked-by-saveprefsru-redirect/page/3?replies=72#post-2566496
It might have some more useful information for you.
Blessings,
Jamie
