Possible hack? folder permissions changed & address asked for

  • Hi Guys,

    I have a number of wordpress installations across two servers. In the past week I’ve experienced some worrying problems. My website flowfree.co.uk started to return a 500 internal server error. I renamed .htaccess and the problem went away. 2 days later, the 500 returned. This time the main public_html folder on my server had changed to 777 permissions. I changed permissions back to 755 and changed passwords for my cPanel and WordPress… however when I tried to change the password for my wordpress admin account, it was requiring my address (with optional fields of billing & shipping address). I have googled this and it doesn’t seem like other people are complaining that suddenly wordpress are harvesting user details, so it this a hack?

    Completely independently today, another of my sites on a different server began returning a 500. On investigation, there were two top-level folders that had their permissions changed to 777 too. Again I have changed permissions back to 755, but obviously I want to find the root of this problem!

    Anyone else getting this sort of problem? Any tips on getting to the cause?

    Thanks in advance.

    Lowri

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter flowfree_lowri

    (@flowfree_lowri)

    Right this is really doing my head in. flowfree.co.uk giving a 500 error again. Logs blame .htaccess

    [Thu Mar 20 05:15:49 2014] [alert] [client 195.194.10.190] /home/kayakc6/public_html/kayakcoaching/.htaccess: RewriteRule: bad flag delimiters, referer: https://www.facebook.com/l.php?u=http%3A%2F%2Fwww.flowfree.co.uk%2Finfo%2Fbooking-form%2F&h=2AQGhJjCJ
    [Thu Mar 20 05:15:14 2014] [error] [client 146.0.74.170] PHP: syntax error, unexpected TC_LABEL, expecting ‘=’ in /home/kayakc6/public_html/php.ini on line 3, referer: https://fourbordersexpedition.com/wp-login.php
    [Thu Mar 20 05:15:13 2014] [error] [client 146.0.74.170] PHP: syntax error, unexpected TC_LABEL, expecting ‘=’ in /home/kayakc6/public_html/php.ini on line 3
    [Thu Mar 20 05:14:45 2014] [alert] [client 2.27.45.136] /home/kayakc6/public_html/kayakcoaching/.htaccess: RewriteRule: bad flag delimiters, referer: https://www.flowfree.co.uk/wp-admin/post.php?post=5&action=edit
    [Thu Mar 20 05:14:30 2014] [alert] [client 2.27.45.136] /home/kayakc6/public_html/kayakcoaching/.htaccess: RewriteRule: bad flag delimiters, referer: https://www.flowfree.co.uk/wp-admin/post.php?post=5&action=edit
    [Thu Mar 20 05:14:15 2014] [alert] [client 2.27.45.136] /home/kayakc6/public_html/kayakcoaching/.htaccess: RewriteRule: bad flag delimiters, referer: https://www.flowfree.co.uk/wp-admin/post.php?post=5&action=edit
    [Thu Mar 20 05:12:48 2014] [alert] [client 95.108.247.251] /home/kayakc6/public_html/kayakcoaching/.htaccess: RewriteRule: bad flag delimiters
    [Thu Mar 20 05:12:29 2014] [alert] [client 31.41.217.116] /home/kayakc6/public_html/kayakcoaching/.htaccess: RewriteRule: bad flag delimiters, referer: https://www.lowridavies.co.uk/
    [Thu Mar 20 05:12:29 2014] [alert] [client 31.41.217.116] /home/kayakc6/public_html/kayakcoaching/.htaccess: RewriteRule: bad flag delimiters, referer: https://www.lowridavies.co.uk/2009/07/30/waves-waterfalls-races-ceremonies/comment-page-1/#comment-191765
    [Thu Mar 20 05:12:28 2014] [alert] [client 2.27.45.136] /home/kayakc6/public_html/kayakcoaching/.htaccess: RewriteRule: bad flag delimiters, referer: https://www.flowfree.co.uk/wp-admin/post.php?post=5&action=edit
    [Thu Mar 20 05:12:03 2014] [alert] [client 36.250.246.233] /home/kayakc6/public_html/kayakcoaching/.htaccess: RewriteRule: bad flag delimiters
    [Thu Mar 20 05:10:28 2014] [alert] [client 2.27.45.136] /home/kayakc6/public_html/kayakcoaching/.htaccess: RewriteRule: bad flag delimiters, referer: https://www.flowfree.co.uk/wp-admin/post.php?post=5&action=edit
    [Thu Mar 20 05:08:28 2014] [alert] [client 2.27.45.136] /home/kayakc6/public_html/kayakcoaching/.htaccess: RewriteRule: bad flag delimiters, referer: https://www.flowfree.co.uk/wp-admin/post.php?post=5&action=edit
    [Thu Mar 20 05:08:22 2014] [alert] [client 172.246.131.114] /home/kayakc6/public_html/kayakcoaching/.htaccess: RewriteRule: bad flag delimiters
    [Thu Mar 20 05:08:22 2014] [alert] [client 172.246.131.114] /home/kayakc6/public_html/kayakcoaching/.htaccess: RewriteRule: bad flag delimiters

    The .htaccess has been dynamically created after the last time I deleted it and the only thing in it is from wordpress. 

    # BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

    I don’t understand what is triggering this as it will work for a while then happen again.

    Please help!

    Kindly check your php.ini settings

    [Thu Mar 20 05:15:13 2014] [error] [client 146.0.74.170] PHP: syntax error, unexpected TC_LABEL, expecting ‘=’ in /home/kayakc6/public_html/php.ini on line 3

    Thread Starter flowfree_lowri

    (@flowfree_lowri)

    Hi thanks for replying.

    I have checked. php.ini has not altered since it was create in November 2013; and I see no error on line 3 as the error log suggests. This error always comes after the .htaccess error.

    Thread Starter flowfree_lowri

    (@flowfree_lowri)

    Also, the snippet of error log above is just that – a snippet. The rest is mostly repetitions of the .htaccess error from different refers.

    Thread Starter flowfree_lowri

    (@flowfree_lowri)

    I have no idea if all of these things are related, but now I have found pages moved to trash. I have not done this, so there must be another person / script doing it.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Possible hack? folder permissions changed & address asked for’ is closed to new replies.