Hacked - shell creating .htaccess files, redirecting to .RU sites

Unfortunately my last topic was closed within minutes of posting it, not allowing discussion or perhaps insight from someone who came across a similar bug.

Here it is
Recently I have been hacked. In miscellaneous folders, i have found .htaccess with garbage that redirects to miscellaneous russian sites. (well, english spamvertisements for .ru)

Upon poking around, it seems that a bad wp-xml.php file is allowing it to act as a shell. However, I do not know what infected that.

My suspect is some bad plugin. Most of my plugins are from WPMUDEV, and other known sources liek Modern Tribe, Gravity Forms, etc.

My themes are mostly from Themify, WPMUDEV (although most are old and outdated), and a few other paid sources. Very few free ones, and theyve been checked they the Theme Auth Checker, and reviewed manually.

Any ideas on what I can do to help hunt it down? Im running a Cpanel/Whm LAMP type box

  • in-mn

    Also - I plan on removing all my files and reuploading fresh after passwords and such have been changed.

    I assume delete everything except Wordpress content

    ie

    wp-content/uplds/

    As well as excersizing caution when removing the themes folders (fix CSS issues).

    Few plugins have had any mods done, and most are raw.

    Side note, I forgot the command to find all the .htaccess files on my server to delete them. I am on a VPS, and that makes me paranoid when it comes to .htaccess removal

    Suggestions?

  • Justin

    Hi in-im,

    Typically there's a script or a file that has been exploited which allowed the uploading of a PHP shell to the account. This could be some older files on the server or some older accounts in your cpanel that have gone updated or unattended. I remember there were some nasty XMLRPC exploits previously.

    Do you have Joomla installed on the same account?...

    Either way, make a copy of your log files for that time period and upload them to your server admin or wherever you have your site hosted at and usually they'll run through your system with a script that will remove them.

    If you have any old software on your system at all or unused plugins or anything of that nature, get rid of them or update them.

    Then reset all your passwords. It's not exactly a solution but hope that steers you in the right direction.

  • James Dunn

    Good day @in-mn

    When you posted originally, I revisited some posts in another forum where I had seen this a few weeks/months back and here's some of the advice that was given that seemed to help several people that were having similar problems:

    You've a lot of work and reading ahead of you. You have already made a great start with password changes, if you haven't already give these a read.

    Backup everything and put that somewhere safe off of your server. This is your safety net.

    http://codex.wordpress.org/WordPress_Backups
    http://codex.wordpress.org/Backing_Up_Your_Database
    http://codex.wordpress.org/Restoring_Your_Database_From_Backup

    Once that's safely put away, give these a read.

    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://wordpress.org/support/topic/268083#post-1065779
    http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    http://ottopress.com/2009/hacked-wordpress-backdoors/

    When possible, you'll need to replace all of your files with good ones from the source. Once you've reached the Happy Place™ consider doing this.

    http://codex.wordpress.org/Hardening_WordPress

    It will make automated updates a manual thing (locking down the file system) but until your confident the site is secure that's probably not a bad thing. When you're convinced it's all good, then you can relax the file system restrictions back to normal.

    You may also wish to read the following post:

    http://redleg-redleg.blogspot.com/2012/01/malicious-htaccess-redirect-re-written.html

    Regardless, there's not going to be a "pat" answer that you can apply a couple of "fixes" and get on with life. Reality is, someone has hacked you. Now, you've got work ahead of you to fix the problem, find the backdoor, close up that back door permanently, and then decide your steps to try to prevent it in the future.

    I could spend the next three hours writing you a thesis on all the possibilities that could have caused this - and still not get the exact one that caused your situation. I'm certain there are others here that could do the same. Doing so would not serve you, me, or the community. All would be best served by more information from you as was stated in the other thread that was closed.

    BTW, that thread was not closed because no one wanted to help you. It was closed because you were given some information to consider so that you could come back with more specific information - because let's face it, your information you've given is a bit minimal even though you've written many words. A staff member - not just a lowly community member like me - gave you that advice. It didn't solve your problem with a couple of steps granted, but it did give you some meat to chew on. Regardless, you chose to respond in a rude and belligerent manner. Your response was absolutely unacceptable.

    In that response you asked for some "good advice". Well, that's hard to define. If someone gives you advice that solves your problem, then your perception will be that it was good. However, if anyone's advice does not solve your problem, then you will probably say that it was not good - that's O.K. it's your perception. Regardless, the fact that someone offered that advice demonstrates the value of the community here. The value of that advice to you is irrelevant to whether it's good or not. I've given advice/solutions in the forum that were totally off base. In the correct situation it would be spot on advice, but I had misunderstood the problem at the outset. For that I've never been belittled, scolded, or anything else negative. I've been given a TKU, but this doesn't apply here response at most.

    Personally, I think you should offer @Timothy an apology, but that's entirely up to you.

    O.K. I'm putting my soapbox away now.

    Bottom line is, you've got some work ahead of you - whether you choose to do it yourself or pay someone else to do it. And as Timothy said, it's costly - either in time or money. If you think it's not, then you are sadly mistaken.

    Good luck on your situation here.

    James Dunn
    Athens, GA USA

  • Timothy Bowers

    ...and i dont expect WPMUDEV to solve my problems (Timmy).

    You can call me Tim or Timothy.

    Side note, I forgot the command to find all the .htaccess files on my server to delete them. I am on a VPS, and that makes me paranoid when it comes to .htaccess removal

    To find all:

    find . -type f -name .htaccess

    rm is remove but if you looking for files outside the root of public_html then you might like to assess the files first before deletion and then remove them manually. If you are using cPanel then Horde will have them I believe, maybe others too.

    If its for files inside the web folder then replacing all the files not just htaccess would be better unless you run a large differential between the hacked and vanilla versions to ensure no code no matter how small was entered elsewhere.

    Unfortunately I've dealt with these a reasonable amount of times now over the years. Fingers crossed they didn't do a SQL injection in your DB.

    Take care.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.