Help with htaccess security and multisite

  • kevin heath

    (@ypraise)


    8 years ago

    Hi,

    I’m hoping I can get some help on getting a htaccess directive to work with multisite. I’m not very experienced with the multi-site setup.

    My sites have been hacked and I’ve cleaned up most and on my single sites I’ve stopped repeated hacks by using:

    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]

    in the htaccess file.

    The problem is I have one multi site set up which I set up to experiment with and when I use this directive the sites go down and I get 500 error.

    Any ideas what may be causing this?

    I’m fairly sure that the hack is automated in some way and I’m not sure the access is coming via WordPress. I think it’s coming through the server. I clean up all the infected files – index files, config files and settings files and at approx 8.00pm each day all the files are reinfected and occasionally some plugin files get infected.

    I’ve stopped the single files getting infected with the above directives but the multi site still gets infected each evening.

    Once I can stop the sites getting infected I can then go through my logs and find out how the infection is getting through. I don’t see anything suspicious with wordpress logs which suggests that it is outside wordpresss. However they are getting in they cannot change the permissions of files. When I was first made aware of the hack (it’s just a redirection hack so when new visitors come to the site they get redirected to stuff like mobile phones sales) I set config and index to 600 and that’s when it started to infect settings.

    I’m not sure they have full access to the server as I have it set up on 2 workspaces (Plesk) and only the sites on 1 workspace were being infected, the other workspace was clean.

    If I can set up the above htacces directive on the multi-site and close down the injections then I can concentrate on finding the cause.

    Thanks for any help.

Viewing 2 replies - 1 through 2 (of 2 total)
  • abletec

    (@abletec)

    8 years ago

    Hello, Kevin, & welcome. W/all due respect, Sir, I think changing the .htaccess file is not going to stop the hack.

    Since I don’t know if this is a shared, vps, or dedicated server, please be so kind as to let me ramble a bit in order to try to cover the contingencies.

    You are clearly very knowledgeable, so some things I say may seem obvious, for which I request pardon ahead of time. However:
    * Please make sure any device(s) you use to log onto your website are clean. Changing passwords, etc, as advised below, will do you absolutely no good if malware is sending them home to its command-&-control server.

    * The same applies to your network–make certain it’s clean. Please don’t use insecure hotspots, etc, to log into your server. & if you transfer files, please use a secure protocol. All this you know, I’m sure, but just covering bases.

    Now, concerning the site–the first thing I’d do if it were I is to lock down the server. This means changing passwords, &, if you have root access, disabling root logins by password & only using SSH keys. If that is not possible, then at least change the password to something that’s beyond tankproof & not something you’ve ever used previously. Secondly, please Change your Plesk password. 3rd, please change your database password, remembering to reflect that change in your wp-config.php file. While you’re at it, please go get some new salts (your wp-config.php file will have instructions on how to do that & replace the ones in wp-config.php w/the new ones. That will log out all users currently logged in.

    Next, please log into your dashboard, go to ‘users’ & check to see if there are any users, especially ones w/elevated privileges, that you don’t recognize. Clearly delete these if this is the case.

    The next things we want to do are to check if there are any admin accounts created outside of WordPress & to check whether there are executable files in your uploads & other user-generated content. The plugin Wordfence is pretty good in this regard. Here are the scan options I recommend checking, at least in this case. You can note the ones that are unchecked by default & turn them off once this is over.
    “Scan core files against repository versions for changes
    Scan theme files against repository versions for changes
    Scan plugin files against repository versions for changes
    Scan wp-admin and wp-includes for files not bundled with WordPress
    Scan for signatures of known malicious files
    Scan file contents for backdoors, trojans and suspicious code
    Scan file contents for malicious URLs
    Scan posts for known dangerous URLs and suspicious content
    Scan comments for known dangerous URLs and suspicious content
    Scan WordPress core, plugin, and theme options for known dangerous URLs and suspicious content
    Scan for out of date, abandoned, and vulnerable plugins, themes, and WordPress versions
    Scan for admin users created outside of WordPress
    Scan for unauthorized DNS changes
    Scan files outside your WordPress installation
    Scan images, binary, and other files as if they were executable”

    Lastly, you should have a look at your database to see if there is hacked content there. Some strings to look for are:

    <script
<? php;
base64;
eval

    preg_replace
    strrev`

    This is not an exhaustive list, & finding some of these strings is not necessarily proof positive that a hack is present, although some are more suggestive than others, ie, strrev doesn’t generally have a purpose in WordPress that I know of.

    I hope this proves helpful. Please let us know if you have questions or need additional assistance.

    Thread Starter kevin heath

    (@ypraise)

    8 years ago

    Hi Jackie,

    Thanks for the reply. The .htaccess file directives will stop the sql injection. The directives work on the singles sites and have stopped the continued injections on them. But the directives I’ve posted causes multi site to crash with error 500.

    I’ve put together some new directives for the multi site which I’ve added to the .htaccess file and I’ll wait until tomorrow to see if they have worked.

    I’ve found out why only one of the two webspaces on my server is getting infected and that is I set different levels of checks in the mod_sec firewall.

    The space that did not get hacked I’d set mod_sec to thorough and on the sites on the webspace that did get hacked I’d set mod_sec to fast.

    Whatever happens, tomorrow I’ll set the mod_sec to thorough on the space but I just want to check if the htaccess rules work against the injections.

    Not sure the search of base64 would help as the hacks were encoded in hex.

    Thanks for the input
    Kevin

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Help with htaccess security and multisite’ is closed to new replies.