WordPress.org

Support

Support » Plugins and Hacks » [Resolved] .htaccess file overwritten – new form of malware?

[Resolved] .htaccess file overwritten – new form of malware?

  • cynthia_rj
    Member

    @cynthia_rj

    Hi Eli –

    I am writing because, in my experience, you have the best anti-malware plug-in around for developer types. It is far superior to things like Sucuri or Wordfence, and in fact, have helped me find hacks that even Sucuri’s paid service have not resolved. (Yes – I’ve donated!)

    Anyway. Today I have come across a new form of hack. I have a client site where the home page is visible, but any URL to a menu – any Permalink – does not work. The reason is that the .htaccess file written by WordPress gets replaced within a few minutes by an .htaccess file written by the malware. This appears to be some type of SQL injection hack. The PHP files I have removed from the client’s file structure include a file called startup.php in the root file system and a file called something like inxstat.php in the wp-content directory that contains about 20KB of gibberish.

    Running Anti-Malware subsequent to removing the files turns up nothing of interest. Yet I wait a little while and the hack returns.

    I am wondering if you have seen this one before. The folks at GoDaddy said that this is the first they have seen of it – but they’ve had several instances today. I am happy to work with you directly if you would like to examine it first hand.

    The affected site is http://www.clace.us/ – all plug-ins & themes are at current versions and WP is updated to 3.9.2.

    Regards,
    Cynthia Traxler

    https://wordpress.org/plugins/gotmls/

Viewing 15 replies - 1 through 15 (of 30 total)
  • Plugin Author Eli
    Participant

    @scheeeli

    Thanks Cynthia,
    I would like to work directly with you on this. I would love to see these new threats first hand so I can add them to my definition updates. Would you be willing to send me a WP Admin login for this site. You can send it directly to my email: eli AT gotmls DOT net

    P.S. I have been without power or internet since the hurricane hit last Thursday so I may be a little slow to respond.

    Aloha, Eli

    Plugin Author Eli
    Participant

    @scheeeli

    Hi Cynthia,
    Thanks for sending me a login and attaching those files. I registered my plugin on this site using your email address and downloaded the latest Definition Updates. I don’t have enough time to finish scanning but it was already finding some threats before I got cut off.

    Could you run a Complete Scan and click the Automatic Fix button on those threats that it finds. Then see if the site is clean of if there are still infections that were missed?

    I’ll try again later when I can get back online.

    Aloha, Eli

    cynthia_rj
    Member

    @cynthia_rj

    Hi Eli –

    I ran the scan and your plugin found 5 PHP files and one backdoor script. I clicked on the auto-fix and all six were dealt with successfully.

    I then went to the host and removed the bad .htaccess file, then reset permalinks on WordPress. Site is back, for now.

    I will continue to monitor. I’ll send another status report in the morning. If this is done, maybe you can suggest good post hack tasks. I imagine changing salts and dbase password is probably a start.

    Thanks so much for your help!
    Cynthia

    cdmaketrax
    Member

    @cdmaketraxgmailcom

    Well – it is almost 24 hours later and the site is still up. I also went into the file system and looked manually for the files that used to reappear a few minutes after resetting permalinks. As you might expect, they are not coming back to haunt me.

    I also had an active discussion going with the WordPress experts group on LinkedIn regarding this hack. I made sure to give this plug-in and your assistance a big “thumbs up”. Hopefully more people will now learn what an awesome tool it is!!

    Thanks for your help – and if you do have post cleanup suggestions for this site, please do let me know.

    You rock!
    Cynthia

    Plugin Author Eli
    Participant

    @scheeeli

    Mahalo Cynthia,

    I’ll mark this topic “resolved”, but feel free to contact me again if you ever need more help.

    Aloha, Eli

    cynthia_rj
    Member

    @cynthia_rj

    Hi Eli –

    Well it took longer this time, but the hack is back. I went into the root directory and removed these files:

    h-s.txt
    s-g.txt
    starting.php

    Then I deleted the .htaccess file & regenerated the permalinks. After that I changed permissions on .htaccess from 640 to 440, although if the hack script is writing as “owner” maybe they have code to change the permissions back to 640 if they need to.

    Would you please take another look at this to see why this continues to occur?

    Mahalo,
    Cynthia

    cynthia_rj
    Member

    @cynthia_rj

    Hi again –

    I took a another look at the file structure for current date stamps. For 8/13/14 I see:

    wp-content/themes/classic-theme3/gallery-single-template.php
    wp-content/themes/classic-theme3/gallery-template.php

    I did not update the theme on that date, as no updates have been available since WP3.0 (client insisted on this theme over my objections that it was out-of-date & unsupported …)

    Also, there is no value in keeping that folder called oldsite_032313 where the backdoor script was found – shall I delete it or do you want to look around within it? I’d really like to know what the source of this hack was originally just for education purposes (mine, the client).

    Thanks again,
    Cynthia

    Plugin Author Eli
    Participant

    @scheeeli

    I’ll take another look. I’m running a Complete Scan now.

    I would suggest deleting the oldsite_032313 backup folder and any other tainted backups.

    I’ll let you know what I find …

    cynthia_rj
    Member

    @cynthia_rj

    I’ve deleted that folder. Do let me know what you find out. I am out of the office for the day, but will check my email tonight if I can be useful to the process – just let me know.

    Cynthia

    Plugin Author Eli
    Participant

    @scheeeli

    Thanks for that, it really speeds up the scan and I think there could have been other hacked files in that backup folder too.

    I have added the htaccess hack to my Definition Updates so that it can be automatically fixed without you having to delete it and manually recreate it if it gets hacked again. I sill have not found the root cause of this hack or any specific vulnerability that could be letting the hacker reinfect your site. I will keep looking but it would be most helpful if a can look at the hacked files right after they are infected and before they are fixed or modified, so that I can get an accurate timestamp of when they were changed. Then we can search the raw access log file to see it there is any evidence of how they were changed.

    Those two theme files you mentioned look fine:
    wp-content/themes/classic-theme3/gallery-single-template.php
    wp-content/themes/classic-theme3/gallery-template.php
    I’m not sure why they were updated but it would seem they were modified responsibly (possibly an update/upgrade).

    There is also a folder called newsite_b4_port that may have a whole other installation of WordPress in it. This could have it’s own vulnerabilities, do you know if it serves a purpose or if it can be removed as well?

    Aloha, Eli

    cynthia_rj
    Member

    @cynthia_rj

    Hi Eli –

    Thanks for the detailed info. The folder newsite_b4_port can probably also be deleted. I can’t remember now why I saved the version that way instead of a Backup Buddy tar file, but I will take a look and get rid of it or at least archive it off site.

    I will let you know about anything I find, too, and not delete it so that you can compare it to the access log as suggested.

    Thanks,
    Cynthia

    caramaple
    Member

    @caramaple

    Any solution on this? I am struggling with the exact same problem 🙁 Thanks for letting me know!

    cynthia_rj
    Member

    @cynthia_rj

    Sorry to hear that …

    Eli’s plug-in does clear the issue for me, but it comes back eventually. To block that behavior, I run a scan, clean stuff up, then manually delete the .htaccess file from root. I then reset permalinks, go back to the root directory and set permissions on .htaccess to 400 so it cannot be overwritten. I think Eli added some support to cleanup the .htaccess file since the last time I did the manual method, but you would still need to do the permissions change on the good file to protect it.

    I’ll let Eli chime in on that. Also, we are both monitoring my client’s site for reoccurrence in hopes of finding what is making the hack come back when I don’t have the .htaccess file protected.

    Cynthia

    Plugin Author Eli
    Participant

    @scheeeli

    Cynthia,
    Just 20 minutes ago your site was reinfected with the same files being added to the root directory as before. However, the .htaccess file was unaffected this time. It would seem your permission change you made to that file has had the desired effected of protecting it that you had hoped it would. Furthermore, the nearness of this this latest attack to the present may give us some incite into the source or root cause of the repeated infection.

    caramaple,
    As I am still working on this one I cannot say a have a solution for you just yet. However, just as Cynthia has stated my plugin should be able to remove the effects of this hack and restore your site to it’s normal functioning until the root cause can be determined. Once I find the cause I will release a Definition Update that should help you find and repair the root vulnerability.

    caramaple
    Member

    @caramaple

    Thanks so much, Cynthia and Eli, I will try your suggestions! Keep me updated, please 🙂

Viewing 15 replies - 1 through 15 (of 30 total)
  • The topic ‘[Resolved] .htaccess file overwritten – new form of malware?’ is closed to new replies.