htaccess problem

I have a problem where my htaccess file keeps getting hijacked. It started this week, and I don't know whether is it a rouge plugin or someone able to hack the account. I do know I have been sitting on the account watching it happening.

It is hacking it to redirect everything to a spam site in Russia. I have the chmod set to 444 on .htaccess, and whatever is changing it is still capable of doing do. Any ideas on what I should be doing next? It is throwing .htaccess files into a number of different directories, and other random files for viagra and "You have been sent here because a friend recommended you" html and php pages, also in multiple subdirectories.

  • Jack Kitterhing
    • Code Norris

    Hi there!

    Sorry to hear of the problems you've been having, this can be caused by a number of things, sometimes on Wordpress multi sites it can be the loopback connection.

    But normally it's a outdated un-secured plugin or theme, even if you don't use the theme or plugin and even if it's not active it still poses a security risk to your site if it's outdated.

    From what you describe I would say that you've already bee hacked and have a rogue script now somewhere so everytime you sort the .htaccess file it will detect and re-infect.

    It could also be a hacked shell, this has been happening a lot lately and there is info here https://premium.wpmudev.org/forums/topic/hacked-shell-creating-htaccess-files-redirecting-to-ru-sites in this thread.

    As it is there may be multiple .htacess files, you should be able to use Tim's command he suggested to find them.

    Hope this helps a bit.

    Thanks.

    Kind Regards
    Jack (Coding-Monkey).

  • diogenese19348
    • Design Lord, Child of Thor

    Happily it is still a rather small site and I think I have cleaned up all the rough .htaccess files for the moment. I still have to identify what is putting them out there to start with. My real question is how does even a shell get around file permissions, 444 should be pretty tough to bugger with.

    It appears this particular spammer is pretty prolific though from the other threads I have been reading. Bless his pointy little head.

  • Jack Kitterhing
    • Code Norris

    Hi there,

    Glad to hear you think you have it all sorted out.

    Um, to answer your question on how to get round the 444 file premissions, all I'm going to say is it can be done, it's not easy, but I don't wish to put this information on a public board that can been seen by everyone on google etc, as it's not safe to have this type if info available.

    Any chance I can get a list of themes and plugins your using, or even the authors, I keep a list of theme and plugin authors that have holes in their themes/plugins, and I keep a list of authors that I have checked the code and they have backdoors in them.

    Are you by any chance using or have installed a free theme?

    Thank you!

    Kind Regards
    Jack (Coding-Monkey).

  • diogenese19348
    • Design Lord, Child of Thor

    No free themes (I know better), the only one aside from what ships with WP, and what I have gotten from here, is Famous from Megathemes. They also do the DeepBlue one that appears on wpmudev. I have gotten some plugins from other sources too though so I don't want to point fingers right now. There was a flurry of updating due to 3.4, it definitely was related to that.

    Oh, and I had a wp-xml.php file that was completely in code, it was probably what was doing the shelling. That one was created 7/17, which is the date I noticed the infection. Still need to track down how that one got installed. I still have that one, I renamed it if you are interested in looking at it.

  • Jack Kitterhing
    • Code Norris

    Hi there!

    That's good, don't get me wrong, some free themes are fine and sometimes even better than premium themes! But a lot of the time they aren't.

    So I'd say it wasn't the theme then.
    On any of your themes, plugins or website, have you or a developer custom coded anything?

    Yes, I'd be very interested in looking at that please.

    Thank you.

    Kind Regards
    Jack (Coding-Monkey)

    P.S Who are you hosting with?

  • diogenese19348
    • Design Lord, Child of Thor

    Register.com

    I can't get that file to you, it's a virus alright. My antivirus software will not allow me to download it. Perked its ears right up it did, then snarled at it. Even though I renamed it with a "ppp" extension That's what it looked like to me too.

    I just noticed I didn't answer your other question. No, I am just getting started with PHP. I do program in other languages. So I will be working on Plugins and themes at some point, but none to date.

  • Jack Kitterhing
    • Code Norris

    I don't know of any known problems with that host.

    Hmm, I presume your windows correct? it shouldn't harm your system if you don't open it? Do you have a file editor within your file manager? Is that file in your file manage? Would you let me take a look at it through FTP access? I understand if not.

    Thank you!

    Kind Regards
    Jack (Coding-Monkey)

  • diogenese19348
    • Design Lord, Child of Thor

    I can open the file in the cPanel X File Manager, and copy it, I can't save it though. Apparently it is a known signature. I can probably paste it here, will that potentially harm anything if I do?

    I can probably e-mail it to you, I'm not opposed to giving you FTP access, I'm not going to post the password here for obvious reasons.

  • diogenese19348
    • Design Lord, Child of Thor

    Happily the Internet Connection issue resolved itself before I got out the door. I have one of those "chief cook and bottle washer" jobs with a 125 user company. IT consists of two people. Any case, the e-mail was rejected by your host. Apparently it isn't happy with virus code either, even as plain-text in an e-mail. Let me create an FTP account for you, I'll send that.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.