I have been well and truly Hacked (54 posts)

  1. wakeupandbreathe
    Posted 4 years ago #

    I cannot access any of my pages /widgets/ anything!
    when logged in I go to any of the above or anything on the sidebar
    and it takes me to : http://bannortimqimulta.ru/industry/index.php

    So i cannot access my site how can I get round this problem?

  2. Phil Gee
    Posted 4 years ago #

    There is malware on your site.
    My friend's site has also been hacked- I think that you're best bet is to take this up with your hosting company.
    We tried cleaning the files via ftp but the malware simply reappeaared within 10 mins
    Also tried changing passwords and user name. Our thoughts were that the only way that htye could get in was through the hosting package.
    Good luck!

  3. Damien
    Posted 4 years ago #

    Hello Wakeupandbreathe,
    What is the name of your hosting company? We encounter a similar problem on one of our blog, hosted on Dreamhost servers.

  4. Phil Gee
    Posted 4 years ago #

    BTW my friend's host was Mid Phase

  5. georg.r
    Posted 4 years ago #

    Hi Phil,
    any idea what you hosting company did to resolve the issue?


  6. Phil Gee
    Posted 4 years ago #

    Hi Geog.r
    The problem has not been resolved as yet
    I found this thread elsewhere though.

    It relates to a VERY similar hack and points to a solution here


    I haven't been through the blog post as yet and there is another developer looking at this problem.

    If you find a solution, please post here,



  7. georg.r
    Posted 4 years ago #

    thank you for your answer and the links.
    I already did an update of wordpress and uploaded new wordpress source files as described in the article. I also noticed that they placed a .htaccess file in every directory, so I deleted them and replaced the htaccess in the root with the original one.
    It seems that they write a cooke on your computer too, so that you are rederected to their site when trying to reach the admin area. Deleting all Cookies and temporary Files of your Browser after cleaning the WordPress installation helps accessing the admin area again.

    I'll wait some time now and see how things change.


  8. wakeupandbreathe
    Posted 4 years ago #

    Hi Everybody thanks for the immediate responses.
    I am with Hostgator have had a few problems before and told Hostgator who just told me it was because the wordpress software is not up to date. I do not accept this but have updated everything. I also had an "expert" look at this and give up.
    However I was able to (a certain extent) access the site I now can't strangely enough Hostgator just told me they logged in without any problem so I send them a video of my login and showed them the redirect to an .ru site as above.
    I'll keep you posted but my feeling is I need to crash the site and build a new one as this is ongoing.

  9. Chris
    Posted 4 years ago #

    I was notified last week by Google about this exact malicious malware being on one of my websites. I started searching and found the malware (redirects) in every single .htaccess file under my account (about 20 different sites). I contact my hosting provider (Bluehost) and they were absolutely no help. I called them multiple times and live chatted but there answer was the same every time, "We don't deal with malware, you might need to delete everything and start over". That's not an option seeing as how some of my sites I started over 3 years ago.

    I noticed, like Phil Gee, that even replacing the .htaccess files with clean files, the corrupted files came back within minutes. I have even deleted an entire website's folder and rested from a clean backup and within minutes, a corrupted .htaccess file was back.

    I've decided that there is more files containing the malicious code that automatically builds the .htaccess files when they are changed or deleted. I just downloaded today's backup of every file and will start scanning them. This literally could take weeks or months, but seeing as how there is no cheap service to do so and how Bluehost does not offer any help, this is what I will have to do.

    If anyone finds any more corrupts files besides the .htaccess files, please post it here.

    Thanks and hopefully we can figure this out!

    Screw you -> http://bannortimqimulta.ru/industry/index.php !!!!!!!!

  10. Hydromantic
    Posted 4 years ago #

    Same here! It seems that they have access to the FTP and it's hard to prevent these htaccess files!! Any help welcome, my provider doesn't help neither!!

  11. wakeupandbreathe
    Posted 4 years ago #

    Well Hostgator told me it was in my Safari Browser that was redirecting my pages and I cleared the cache and it seems OK
    now .
    I have put in Bullet Proof security and see if that helps.

  12. Chris
    Posted 4 years ago #

    Thanks to wakeupandbreathe, I also installed the Bullet Proof Security plugin to the site Google notified be about and scanned my site using, Securi Sitecheck and it is now showing that my site is "CLEAN"! (Earlier, it had listed several pages on my site that were infected)

    I am going to install this plugin to the rest of my WordPress sites. While this isn't a complete fix to the problem because it might not be ridding every file all of the malware, it's a great free solution for the time being. Especially since the malware code are redirects and not actually software uploaded to the sites.

    I will write back once I have successfully installed the plugin to each site, checked for malware and scanned each .htaccess file to make sure they are clean.


  13. Charles Kelley
    Posted 4 years ago #

    I had this same problem occur today. Same website and everything...and I also use BlueHost. Haven't (to my knowledge) installed new plugins to any site listed on my server and no one else has access to my server except me.

    How did you go about cleaning it and fixing it and setting up bullet proof?

  14. Chris
    Posted 4 years ago #

    Install BulletProof, then on the Settings page for BulletProof you'll need to 'Activate' each security mode in a certain order. (or you will get 'warnings' for whatever reason)

    Under the 'Security Modes' Tab, Activate in this order:
    1.Create default .htaccess file
    2. Create secure .htaccess file
    3. Activate Deny All htaccess Folder Protection For The BPS Master htaccess Folder
    4. Activate Deny All htaccess Folder Protection For The BPS Backup Folder
    5. Activate Website Root Folder .htaccess Security Mode
    6. Activate Website wp-admin Folder .htaccess Security Mode

    Next you can click on the 'Security Status' tab and see if there are any errors. You can also run a scan at Securi Sitecheck. Just make sure if you have already scanned your site here, to click the 'rescan' button at the bottom of the page because the site caches your results for like 24 hours.

    The problem is, this seems to only work for a short time. Eventually the BulletProof plugin shows that there is no 'bulletProof Secure .htaccess' file in the root folder. I'm still learning the BulletProof plugin and all of its functionality and will keep posting when I find new things.

  15. Charles Kelley
    Posted 4 years ago #

    That's what I'm running into as well. BulletProof works for about 20 minutes then it rewrites the .htaccess file.

    A good post on it is here, but doesn't contain any resolution thus far:

    Suggestions are that it's a TimThumb hack, which is what BlueHost told me as well.

  16. Charles Kelley
    Posted 4 years ago #

    Timthumb Vulnerability Scanner

    Actually did have loads of my sites running a vulnerable version and 1 out of 20 that seemingly had a vulnerability already loaded in my theme cache folder.

    Let me know if you experience the same.

  17. Charles Kelley
    Posted 4 years ago #

    Didn't help. Updated all WordPress versions to the newest version and scanned all for TimThumb vulnerability, fixing any I saw. Nothing helped. Still rewtriting the .htaccess files. Ughhhh

  18. boyxinfo
    Posted 4 years ago #

    Weird that I have hosting account with LunarPages and they called me 3 days ago asking me if I wanted them to remove the backup server files on my account. I have regular backups of my websites so I told them to delete it. Fast forward days later, I started getting the redirects on my server. Seems they were aware of this going to happen and wanted to remove any backups possible. Kinda sketchy to me plus I just renewed my hosting account with them. I think they are money hungry greedy bastards and are aware of this but havent acted upon this. I will give them a call and see whats going on because I havent been able to resolve this on my own. I correct the htaccess files then minutes later, they rewrite again.

  19. georg.r
    Posted 4 years ago #

    I have installed BulletProof yesterday and the wordpress installation is still clean today. Before installing BulletProof I deleted all htaccess files manually. There was a hacked .htaccess file in the root directory too, not only in the wordpress directory. I deleted that file and place one to block certain Domains. Also gave the rights 644 to protect overwriting. The content of the .htaccess file I placed in the root is:

    RewriteEngine on
    RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?http://urlquery.net.*$ [NC,OR]
    RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?http://uaroyalysdaliachu.ru.*$ [NC]
    RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?http://bannortimqimulta.ru.*$ [NC]
    RewriteRule .* - [F,L]

    # Protect the htaccess file
    <files .htaccess>
    order allow,deny
    deny from all

    Beside this I noticed that there was placed a directory called "img" in the wp-admin directory (check also wp-include directory). This contained some .html files and images that where placed by the hack. I deleted the whole directory.

    Of course I did a backup before doing any modifications.
    Now I will check the installation regularly and hope that it will remain clean.

  20. Hydromantic
    Posted 4 years ago #

    Could you tell me more about the images names placed by the hack you found?

  21. upango
    Posted 4 years ago #

    I've got exactly the same problem with a few wordpress sites. I've tried so many things... changed passwords, reintalled wordpress, antispyware, code, rewrite .htaccess and change permissions... I note an important thing: even when directories on my server that redirect to the respective URLs are empty, those URLs are redirected to bannor....ru

    I'm trying now to move the content of those directories into others news... How're you going?

  22. Charles Kelley
    Posted 4 years ago #

    @upango - it looks like whatever malicious script that's running just targets any and all files beginning with a . (namely .htaccess) and replaces them, regardless if it's WordPress or not and affecting ALL directories and sub-directories with such a file.

    Running the top command after gaining shell access verified it was a .php file that was running and overloading my server.

    Luckily, upon attempting to backup my directories, Windows Security Essentials of all programs noticed that /wp-includes/unzip.php on one of my many installed contained backdoor script (http://pastebin.com/dfYyMX1a) and seemed to pinpoint the exact problems I was having. Unfortunately, it also gained access to all the database and config files, so now I'm going to have to reset the passwords ASAP and nuke the file.

    In simple, check your installs for sketchy PHP files like this and re-secure your site after finding and nuking them.

    Will keep you updated as to if this is a permenant fix.

  23. upango
    Posted 4 years ago #

    Thank you very much for the info! I'll review and tell you...

  24. Charles Kelley
    Posted 4 years ago #

    Also just discovered another example of malicious code in 'wp-content\uploads\_wp_cache.php'. This time it was malicious code in the form of "<?php preg_replace" which, from what I understand, is encoded base64, and may be the root of all this, as when I ran the TimThumb vulnerability scanner plugin last night, it alerted me that this directory may have already been taken advantage of as timthumb was insecure on one theme of mine.

  25. Charles Kelley
    Posted 4 years ago #

    @georg.r - Just wondering if any of your edits to the permissions of the .htaccess file and edited/blocked .htaccess file did the job? From what I'm experiencing, don't think it would as the script basically makes it seem as though it's you, as it has all your passwords and everything.

  26. brianweidner
    Posted 4 years ago #

    I have the same problem and have been following this post closely. Nothing that I've tried has worked.

    My hosting company (NetFirms) has been no help. They ran a scan and deleted the .htaccess files, but as we know...they get re-generated.

    Thanks for sharing the updates and ideas. Hopefully one of us will solve this issue soon.

  27. Charles Kelley
    Posted 4 years ago #

    Files are almost done downloading. I had ~3gb worth of installs and files on my shared hosting. Will nuke the files, change my passwords and replace the .htaccess files and do a few hour test run and report back later tonight. Fingers crossed.

  28. Charles Kelley
    Posted 4 years ago #

    Okay. Everything looks okay to me and is still going strong and unhacked about 20 minutes later. Knock on wood.

    The steps I took to "clean" my site were and up security were:
    1) Download everything via FTP and export all wordpress data from each instance of WordPress.
    2) From the backup files, run a scan on it with Microsoft Security Essentials (would assume other virus programs would recognize the backdoor files as well). Note any alerts, but allow/ignore the virus scan's request to delete and/or quarantine.
    3) Open your editor (I used Dreamweaver) and open those files containing the malicious code.
    4) Search for any and all files in your backup directory you just downloaded that contain the malicious code. In my case I searched for "<?php preg_replace" and "<?php # Web Shell by oRb" and ended up finding five additional files with this malicious script in the following dirs:

    • /public_html/wp-content/uploads/_cache.php
    • /public_html/***/wp-includes/unzip.php
    • /public_html/*********/wp-includes/unzip.php
    • /public_html/*********/wp-content/uploads/_wp_cache.php
    • /www/wp-content/uploads/_cache.php
    • /www/*********/wp-includes/unzip.php
    • /www/*********/wp-content/uploads/_wp_cache.php

    5) I then went on my server via FTP, deleted those suspicious files.
    6) Then I went on and changed my FTP password, my hosting password, my MySQL password and the password to any MySQL users that wordpress automtically generates when it installs on some hosts.
    7) I edited the wp-config.php files in each WordPress instance directory to contain the new password I just changed.
    8) I loaded those new wp-config.php files to the server in the root of each directory.
    9) I replaced the .htaccess file using BulletProof Security.
    10) I checked my site via Sucuri to make sure no malicious code was running, and all check out fine, and have been for appx 30-40 minutes now.

    Will update you guys a little later this evening and tell you if it's still working.

  29. Charles Kelley
    Posted 4 years ago #

    Still working!

  30. Chris
    Posted 4 years ago #

    Nice. So assuming I have the same files with bad code, I could just skip to step 5? Will deleting those files mess anything up with WordPress or are those files just there for the malicious code?


Topic Closed

This topic has been closed to new replies.

About this Topic