WordPress.org

Forums

Anti-Malware and Brute-Force Security by ELI
[resolved] .htaccess file overwritten - new form of malware? (31 posts)

  1. cynthia_rj
    Member
    Posted 11 months ago #

    Hi Eli -

    I am writing because, in my experience, you have the best anti-malware plug-in around for developer types. It is far superior to things like Sucuri or Wordfence, and in fact, have helped me find hacks that even Sucuri's paid service have not resolved. (Yes - I've donated!)

    Anyway. Today I have come across a new form of hack. I have a client site where the home page is visible, but any URL to a menu - any Permalink - does not work. The reason is that the .htaccess file written by WordPress gets replaced within a few minutes by an .htaccess file written by the malware. This appears to be some type of SQL injection hack. The PHP files I have removed from the client's file structure include a file called startup.php in the root file system and a file called something like inxstat.php in the wp-content directory that contains about 20KB of gibberish.

    Running Anti-Malware subsequent to removing the files turns up nothing of interest. Yet I wait a little while and the hack returns.

    I am wondering if you have seen this one before. The folks at GoDaddy said that this is the first they have seen of it - but they've had several instances today. I am happy to work with you directly if you would like to examine it first hand.

    The affected site is http://www.clace.us/ - all plug-ins & themes are at current versions and WP is updated to 3.9.2.

    Regards,
    Cynthia Traxler

    https://wordpress.org/plugins/gotmls/

  2. Eli
    Member
    Plugin Author

    Posted 11 months ago #

    Thanks Cynthia,
    I would like to work directly with you on this. I would love to see these new threats first hand so I can add them to my definition updates. Would you be willing to send me a WP Admin login for this site. You can send it directly to my email: eli AT gotmls DOT net

    P.S. I have been without power or internet since the hurricane hit last Thursday so I may be a little slow to respond.

    Aloha, Eli

  3. Eli
    Member
    Plugin Author

    Posted 11 months ago #

    Hi Cynthia,
    Thanks for sending me a login and attaching those files. I registered my plugin on this site using your email address and downloaded the latest Definition Updates. I don't have enough time to finish scanning but it was already finding some threats before I got cut off.

    Could you run a Complete Scan and click the Automatic Fix button on those threats that it finds. Then see if the site is clean of if there are still infections that were missed?

    I'll try again later when I can get back online.

    Aloha, Eli

  4. cynthia_rj
    Member
    Posted 11 months ago #

    Hi Eli -

    I ran the scan and your plugin found 5 PHP files and one backdoor script. I clicked on the auto-fix and all six were dealt with successfully.

    I then went to the host and removed the bad .htaccess file, then reset permalinks on WordPress. Site is back, for now.

    I will continue to monitor. I'll send another status report in the morning. If this is done, maybe you can suggest good post hack tasks. I imagine changing salts and dbase password is probably a start.

    Thanks so much for your help!
    Cynthia

  5. cdmaketrax
    Member
    Posted 11 months ago #

    Well - it is almost 24 hours later and the site is still up. I also went into the file system and looked manually for the files that used to reappear a few minutes after resetting permalinks. As you might expect, they are not coming back to haunt me.

    I also had an active discussion going with the WordPress experts group on LinkedIn regarding this hack. I made sure to give this plug-in and your assistance a big "thumbs up". Hopefully more people will now learn what an awesome tool it is!!

    Thanks for your help - and if you do have post cleanup suggestions for this site, please do let me know.

    You rock!
    Cynthia

  6. Eli
    Member
    Plugin Author

    Posted 11 months ago #

    Mahalo Cynthia,

    I'll mark this topic "resolved", but feel free to contact me again if you ever need more help.

    Aloha, Eli

  7. cynthia_rj
    Member
    Posted 11 months ago #

    Hi Eli -

    Well it took longer this time, but the hack is back. I went into the root directory and removed these files:

    h-s.txt
    s-g.txt
    starting.php

    Then I deleted the .htaccess file & regenerated the permalinks. After that I changed permissions on .htaccess from 640 to 440, although if the hack script is writing as "owner" maybe they have code to change the permissions back to 640 if they need to.

    Would you please take another look at this to see why this continues to occur?

    Mahalo,
    Cynthia

  8. cynthia_rj
    Member
    Posted 11 months ago #

    Hi again -

    I took a another look at the file structure for current date stamps. For 8/13/14 I see:

    wp-content/themes/classic-theme3/gallery-single-template.php
    wp-content/themes/classic-theme3/gallery-template.php

    I did not update the theme on that date, as no updates have been available since WP3.0 (client insisted on this theme over my objections that it was out-of-date & unsupported ...)

    Also, there is no value in keeping that folder called oldsite_032313 where the backdoor script was found - shall I delete it or do you want to look around within it? I'd really like to know what the source of this hack was originally just for education purposes (mine, the client).

    Thanks again,
    Cynthia

  9. Eli
    Member
    Plugin Author

    Posted 11 months ago #

    I'll take another look. I'm running a Complete Scan now.

    I would suggest deleting the oldsite_032313 backup folder and any other tainted backups.

    I'll let you know what I find ...

  10. cynthia_rj
    Member
    Posted 11 months ago #

    I've deleted that folder. Do let me know what you find out. I am out of the office for the day, but will check my email tonight if I can be useful to the process - just let me know.

    Cynthia

  11. Eli
    Member
    Plugin Author

    Posted 11 months ago #

    Thanks for that, it really speeds up the scan and I think there could have been other hacked files in that backup folder too.

    I have added the htaccess hack to my Definition Updates so that it can be automatically fixed without you having to delete it and manually recreate it if it gets hacked again. I sill have not found the root cause of this hack or any specific vulnerability that could be letting the hacker reinfect your site. I will keep looking but it would be most helpful if a can look at the hacked files right after they are infected and before they are fixed or modified, so that I can get an accurate timestamp of when they were changed. Then we can search the raw access log file to see it there is any evidence of how they were changed.

    Those two theme files you mentioned look fine:
    wp-content/themes/classic-theme3/gallery-single-template.php
    wp-content/themes/classic-theme3/gallery-template.php
    I'm not sure why they were updated but it would seem they were modified responsibly (possibly an update/upgrade).

    There is also a folder called newsite_b4_port that may have a whole other installation of WordPress in it. This could have it's own vulnerabilities, do you know if it serves a purpose or if it can be removed as well?

    Aloha, Eli

  12. cynthia_rj
    Member
    Posted 11 months ago #

    Hi Eli -

    Thanks for the detailed info. The folder newsite_b4_port can probably also be deleted. I can't remember now why I saved the version that way instead of a Backup Buddy tar file, but I will take a look and get rid of it or at least archive it off site.

    I will let you know about anything I find, too, and not delete it so that you can compare it to the access log as suggested.

    Thanks,
    Cynthia

  13. caramaple
    Member
    Posted 11 months ago #

    Any solution on this? I am struggling with the exact same problem :( Thanks for letting me know!

  14. cynthia_rj
    Member
    Posted 11 months ago #

    Sorry to hear that ...

    Eli's plug-in does clear the issue for me, but it comes back eventually. To block that behavior, I run a scan, clean stuff up, then manually delete the .htaccess file from root. I then reset permalinks, go back to the root directory and set permissions on .htaccess to 400 so it cannot be overwritten. I think Eli added some support to cleanup the .htaccess file since the last time I did the manual method, but you would still need to do the permissions change on the good file to protect it.

    I'll let Eli chime in on that. Also, we are both monitoring my client's site for reoccurrence in hopes of finding what is making the hack come back when I don't have the .htaccess file protected.

    Cynthia

  15. Eli
    Member
    Plugin Author

    Posted 11 months ago #

    Cynthia,
    Just 20 minutes ago your site was reinfected with the same files being added to the root directory as before. However, the .htaccess file was unaffected this time. It would seem your permission change you made to that file has had the desired effected of protecting it that you had hoped it would. Furthermore, the nearness of this this latest attack to the present may give us some incite into the source or root cause of the repeated infection.

    caramaple,
    As I am still working on this one I cannot say a have a solution for you just yet. However, just as Cynthia has stated my plugin should be able to remove the effects of this hack and restore your site to it's normal functioning until the root cause can be determined. Once I find the cause I will release a Definition Update that should help you find and repair the root vulnerability.

  16. caramaple
    Member
    Posted 11 months ago #

    Thanks so much, Cynthia and Eli, I will try your suggestions! Keep me updated, please :)

  17. caramaple
    Member
    Posted 11 months ago #

    Just a question - if I set permissions on .htaccess to 400 or 440, the website is not working anymore and I get a 403 error. Cynthia, how did you get around this? I am also on GoDaddy.

    Apart from that I installed Eli's plugin (and donated) and keeping my fingers crossed.

  18. Eli
    Member
    Plugin Author

    Posted 11 months ago #

    caramaple,
    Try setting the permissions on the .htaccess file to 444. That would make it read-only to everyone (not changeable by anyone).

    I will let you know when I have more info on the source of this threat.

    Aloha, Eli

  19. caramaple
    Member
    Posted 11 months ago #

    Eli - great that worked, - thanks so much for all your help!

  20. Eli
    Member
    Plugin Author

    Posted 11 months ago #

    caramaple,
    I found the backdoor on Cynthia's site. It was a Perl file in the cgi directory. I have added it to my Definition Updates. You should download the latest Definition Update on the Anti-Malware Settings page in your WP Admin, then run another Complete Scan and let me know if it finds it and fixes it for you.

    Aloha, Eli

  21. caramaple
    Member
    Posted 11 months ago #

    Eli, thanks for the update. It found a 'known threat' in the wp-includes/js/main.is and some other files. I realised that I only ran a quick scan before and now I did for the first time the complete one.

    How do I know whether it removed the backdoor of this hack now. I guess I just have to wait a couple of days and see, right?

    Thanks for all your help!

  22. caramaple
    Member
    Posted 11 months ago #

    Oh, but looking via FTP I see a cgi.pl file in my cgi directory. Shall I manually delete this?

  23. Eli
    Member
    Plugin Author

    Posted 11 months ago #

    I don't know without looking at it if that cgi.pl file is infected. If it is the same as the one I found on Cynthia's site then my plugin should have found it. Did you download the latest Definition Update?

    Are you scanning the root directory or just the plugins or wp-content?

    If you can download that Perl file and send it to me I will let you know if it should be deleted. If you want to send me your WP Admin login I can check it all out that way too. My direct email is: eli AT gotmls DOT net

    Aloha, Eli

  24. caramaple
    Member
    Posted 11 months ago #

    Thanks Eli - just sent you a private message!

  25. Eli
    Member
    Plugin Author

    Posted 11 months ago #

    Thanks, I was able to verify that your cgi.pl file was another variant of the same backdoor I found on Cynthia's site. I have updated my definitions and my plugin has now removed this threat to your Quarantine.

    Now, as you said, we just have to wait and see if anything comes back. Please scan at least once day for at least a week and let me know if anything comes back.

    Aloha, Eli

  26. caramaple
    Member
    Posted 11 months ago #

    Eli - thanks so much! Your plugin and work is great. I will follow your advice and inform you in case that anything comes back. Thanks as well to Cynthia for opening this topic!

  27. Eli
    Member
    Plugin Author

    Posted 11 months ago #

    I've been keeping an eye on both your sites and I have not seen this infection return, so I think you are both clean and safe now. I think that last back-door I found was the last threat and the only way those hackers were able to keep re-infecting your site. I am marking this topic as "resolved", but please let me know if either of you find anything new or need any more help with this.

    Thanks to both of you for letting me into your site to find this new threat so I could add it to my definition updates. And thanks for your donations too ;-)

    Aloha, Eli

  28. cynthia_rj
    Member
    Posted 11 months ago #

    Eli - you rock! Mahalo for all of the splendid help.

    Cynthia

  29. kochanski
    Member
    Posted 10 months ago #

    I've been having the same issue. Have followed all the steps mentioned to clean things up and it reappeared a week later. No strange CGI files in my directories, but I checked all files by date (as we don't make updates often and usually know within 12 hours of the site being down) so have removed some cache files and plugins that may have been targeted and aren't realyl necessary to keep. Guess I'll know soon if it works!

    However, I have a plugin called 404 Redirected that tells me when files aren't found and gives me an option to set-up redirects. Seems that "78 dot 138 dot 104 dot 178" is trying to access gddform.php (one of the main files that appears when the issue is present) after I've deleted it. Thought this may be of interest to you.

    Ohh and in addition to making my htaccess read only, I've setup a redirect for the gddform file to https://www.youtube.com/watch?v=dQw4w9WgXcQ (might not solve the problem, but I hope it sends a message)!

  30. jasonmccarty
    Member
    Posted 8 months ago #

    Having the same problem. I've deleted some of the same files already because they looked strange. I also had folders called Shirt, Stats, coookies, Sagittarius, etc. Deleted those. All in root folder.

    I'm running a complete scan now. How do I know what to delete? Everything that shows up in potential threats?

Reply »

You must log in to post.

About this Plugin

About this Topic