1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Somebody got into my Wordpress install, but what on earth have they done to my htaccess?

Discussion in 'Web Hosting' started by nobodyelsein, Oct 6, 2014.

  1. nobodyelsein

    nobodyelsein Regular Member

    Joined:
    Mar 24, 2014
    Messages:
    364
    Likes Received:
    103
    Occupation:
    Dunce
    Location:
    This corporeal plane
    This is weird, on a Wordpress install with a highly obscure admin username and password (and no commenting enabled) someone managed to create an admin account with a blank username. The only thing they appear to have done is add chunks like the below into the htaccess.

    Code:
    RewriteCond %{REQUEST_URI} !^.*[^/]$RewriteCond %{REQUEST_URI} !^.*//.*$
    RewriteCond %{REQUEST_METHOD} !POST
    RewriteCond %{QUERY_STRING} !.*=.*
    RewriteCond %{HTTP:Cookie} !^.*(comment_author_|wordpress_logged_in|wp-postpass_).*$
    RewriteCond %{HTTP:X-Wap-Profile} !^[a-z0-9\"]+ [NC]
    RewriteCond %{HTTP:Profile} !^[a-z0-9\"]+ [NC]
    RewriteCond %{HTTP_USER_AGENT} !^.*(2.0\ MMP|240x320|400X240|AvantGo|BlackBerry|Blazer|Cellphone|Danger|DoCoMo|Elaine/3.0|EudoraWeb|Googlebot-Mobile|hiptop|IEMobile|KYOCERA/WX310K|LG/U990|MIDP-2.|MMEF20|MOT-V|NetFront|Newt|Nintendo\ Wii|Nitro|Nokia|Opera\ Mini|Palm|PlayStation\ Portable|portalmmm|Proxinet|ProxiNet|SHARP-TQ-GX10|SHG-i900|Small|SonyEricsson|Symbian\ OS|SymbianOS|TS21i-10|UP.Browser|UP.Link|webOS|Windows\ CE|WinWAP|YahooSeeker/M1A1-R2D2|iPhone|iPod|Android|BlackBerry9530|LG-TU915\ Obigo|LGE\ VX|webOS|Nokia5800).* [NC]
    RewriteCond %{HTTP_user_agent} !^(w3c\ |w3c-|acs-|alav|alca|amoi|audi|avan|benq|bird|blac|blaz|brew|cell|cldc|cmd-|dang|doco|eric|hipt|htc_|inno|ipaq|ipod|jigs|kddi|keji|leno|lg-c|lg-d|lg-g|lge-|lg/u|maui|maxo|midp|mits|mmef|mobi|mot-|moto|mwbp|nec-|newt|noki|palm|pana|pant|phil|play|port|prox|qwap|sage|sams|sany|sch-|sec-|send|seri|sgh-|shar|sie-|siem|smal|smar|sony|sph-|symb|t-mo|teli|tim-|tosh|tsm-|upg1|upsi|vk-v|voda|wap-|wapa|wapi|wapp|wapr|webc|winw|winw|xda\ |xda-).* [NC]
    RewriteCond %{HTTP:Accept-Encoding} gzip
    RewriteCond %{HTTPS} !on
    RewriteCond %{DOCUMENT_ROOT}/wp-content/cache/supercache/%{SERVER_NAME}/$1/index.html.gz -f
    RewriteRule ^(.*) "/wp-content/cache/supercache/%{SERVER_NAME}/$1/index.html.gz" [L]
    I've deleted their account, manually blocked their IP and replaced the salt strings in wp-config (which lives outside the document root) and have cleared this junk from htaccess, but I'm just curious as to what on earth they're trying to do? Create redirects? Can't be spamming as my host would have shut the site down.
     
  2. saadad

    saadad Junior Member

    Joined:
    Feb 25, 2009
    Messages:
    168
    Likes Received:
    22
    Home Page:
    Your website is hacked, you need to clean it or restore backup. This code alone is not really doing anythign special but there must be some hiden code insdie your files. This is maybe pharma attack. Check webmaster tool and see if they send u some warnings.
     
  3. peetrike

    peetrike Power Member

    Joined:
    Aug 19, 2012
    Messages:
    585
    Likes Received:
    216
    Location:
    Estonia
    Seems like they redirect the mobile traffic to their own offer. If they have access to your wp then it`s very easy to change the .htaccess too.

    Cheers
     
  4. IceHD

    IceHD Jr. VIP Jr. VIP Premium Member

    Joined:
    May 8, 2013
    Messages:
    485
    Likes Received:
    198
    Occupation:
    SEO, SEM, HTML5&CSS3 Coder
    Location:
    Not Romania
    Start using Wordfence, and never use "admin" as a user, change it into something unique.
    Check your php files, some piece of code has to be present..
     
  5. nobodyelsein

    nobodyelsein Regular Member

    Joined:
    Mar 24, 2014
    Messages:
    364
    Likes Received:
    103
    Occupation:
    Dunce
    Location:
    This corporeal plane
    This happened with Wordfence on watch!
     
  6. sysco32

    sysco32 Jr. VIP Jr. VIP Premium Member

    Joined:
    Feb 5, 2014
    Messages:
    502
    Likes Received:
    198
    Location:
    Skopje/Pecs
    I had the same.They created 4 admins.I dunno what else they did...so i deleted everything from the hosting,database and put back everything from the start.It was some work,but no other way to be sure.
    The funny that i had wordfence and another firewall also.Now i am using something else..just don't remember the name.