htaccess file corrupted

How do you prevent this from happening again?

How do they get into our sites?…..My passwords are unhackable….fwiw

z

Summary of Solution:

Do what Paul did:

On mine, only index.php in the root had bad crap in it….edited it out.
The about.php in wp-admin was ok.
There should be no about.php in the root….deleted that.
You can always get a clean copy of worpress and compare the files in that with the ones on your site.

paulburada

Hi all,
I had the same issue and I have solved by rewriting the .htcaccess from root with the default values , removed .htcaccess file from wp-admin.
Don’t reload any admin page yet !!!
Remove about.php file from root and WP-Admin, this page infected!
Open index.php from root and index.php from wp-admin and remove the code injected, you will see it very easy which is wrong code.

Cheers!

Also, do what fleeting glimpse did above……I only added the first 2
This denies anybody but you from accessing the WP login/admin:

You can get your IP from: https://WhatsMyIp.org.

If your IP changes, you can use a range also:
164.50.0.0/16 will cover all the IP’s that start with 164.50 …..

added to my .htaccess

<Files wp-login.php>
Order Deny,Allow
Deny from All

Allow From (ip ranges I use)

</Files>

<Files wp-admin$>
Order Deny,Allow
Deny from All

Allow From (ip ranges I use)

</Files>

Also, I noticed a Patior and Vim files and folders and deleted those. Anybody know what those are?

z

• This reply was modified 2 years, 10 months ago by zardiw.

@imagenimperio please how were you able to resolve it because I cant change from IP to url. please can I follow u on Twitter

Also having the same issue.

Does anyone know if there is new way to remove all corrupt htaccess files and stop recreation of new infected htaccess files? As I delete any htaccess file (there are hundreds around the site subdirectories) it just recreates new corrupt files and still have 403 forbidden error in the WP Admin pages

I have the same infection and it’s driving me absolutely wild, aside from the files I fear it may have infected the actual database somehow too

I have successfully solved that issue, First Check your cron job .. I found one cron job running.. which is to download the corrupted file every second. first I deleted that cron job.. then I temporarily suspend the account. because Cpanel run cronjob in memory .. so after deleting the cronjob still the files was created .. so I have suspended the account for a while and removed those two files index.php and .htaccess and then unsuspended the account.. everything back to normal ?? .. Hope that will help you

.htacess file change automatically after change it show 403 forbidden error
help me to solve this issue

I ran into this same issue – it was a nightmare.

The way I fixed it:

Step zero warning: DO NOT REFRESH/RELOAD ANYTHING UNTIL THE VERY END.

Ok, so first I did a search in filezilla for all files and directories matching patior and vim

Then I deleted those – there were a bunch all over.

Then I logged into my file manager through my host. (I could not do this step through a FTP client for some reason. My updates wouldn’t take)

Then I looked in the folders includes and admin and found some other htaccess files – I deleted those.

Then I opened the htaccess file and the index file from the root.

In the htaccess file I pasted the default htaccess code:

# BEGIN WordPress

RewriteEngine On
RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

then in the index file I pasted the default index code

<?php
/**
* Front to the WordPress application. This file doesn’t do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/

/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define( ‘WP_USE_THEMES’, true );

/** Loads the WordPress Environment and Template */
require __DIR__ . ‘/wp-blog-header.php’;

Obviously update/save them after pasting.

Then I went to my domain but logged in through wp-login.php

This would look like – yourdomain.com/wp-login.php

and boom I was in and my admin page was no longer broken. (You’ll want to go to your permalinks in your settings after doing this because it resets them.)

I don’t know if there is any code deeper in the server, but I’m looking into this because for me the timestamps on the files htaccess and index show they are from feb 2021 when it’s march 2022.

But I suggest once you get back in your site, runner other maleware scanners. like sitelock, wordfence, or wp cerber and keep it clean.

Also be sure to empty your trash in your server.

Good luck! Hope this helps someone.

• This reply was modified 2 years, 7 months ago by thomasunise. Reason: formatting
• This reply was modified 2 years, 7 months ago by Yui.

This is an AnonymousFox hack. See the steps here for how to clean your hacked hosting account > https://forum.ait-pro.com/forums/topic/wp-dester-and-wpyii2-hacker-plugins/