.htaccess file overwritten – new form of malware?

Just a question – if I set permissions on .htaccess to 400 or 440, the website is not working anymore and I get a 403 error. Cynthia, how did you get around this? I am also on GoDaddy.

Apart from that I installed Eli’s plugin (and donated) and keeping my fingers crossed.

caramaple,
Try setting the permissions on the .htaccess file to 444. That would make it read-only to everyone (not changeable by anyone).

I will let you know when I have more info on the source of this threat.

Aloha, Eli

Eli – great that worked, – thanks so much for all your help!

caramaple,
I found the backdoor on Cynthia’s site. It was a Perl file in the cgi directory. I have added it to my Definition Updates. You should download the latest Definition Update on the Anti-Malware Settings page in your WP Admin, then run another Complete Scan and let me know if it finds it and fixes it for you.

Aloha, Eli

Eli, thanks for the update. It found a ‘known threat’ in the wp-includes/js/main.is and some other files. I realised that I only ran a quick scan before and now I did for the first time the complete one.

How do I know whether it removed the backdoor of this hack now. I guess I just have to wait a couple of days and see, right?

Thanks for all your help!

Oh, but looking via FTP I see a cgi.pl file in my cgi directory. Shall I manually delete this?

I don’t know without looking at it if that cgi.pl file is infected. If it is the same as the one I found on Cynthia’s site then my plugin should have found it. Did you download the latest Definition Update?

Are you scanning the root directory or just the plugins or wp-content?

If you can download that Perl file and send it to me I will let you know if it should be deleted. If you want to send me your WP Admin login I can check it all out that way too. My direct email is: eli AT gotmls DOT net

Aloha, Eli

Thanks Eli – just sent you a private message!

Thanks, I was able to verify that your cgi.pl file was another variant of the same backdoor I found on Cynthia’s site. I have updated my definitions and my plugin has now removed this threat to your Quarantine.

Now, as you said, we just have to wait and see if anything comes back. Please scan at least once day for at least a week and let me know if anything comes back.

Aloha, Eli

Eli – thanks so much! Your plugin and work is great. I will follow your advice and inform you in case that anything comes back. Thanks as well to Cynthia for opening this topic!

I’ve been keeping an eye on both your sites and I have not seen this infection return, so I think you are both clean and safe now. I think that last back-door I found was the last threat and the only way those hackers were able to keep re-infecting your site. I am marking this topic as “resolved”, but please let me know if either of you find anything new or need any more help with this.

Thanks to both of you for letting me into your site to find this new threat so I could add it to my definition updates. And thanks for your donations too ??

Aloha, Eli

Eli – you rock! Mahalo for all of the splendid help.

Cynthia

I’ve been having the same issue. Have followed all the steps mentioned to clean things up and it reappeared a week later. No strange CGI files in my directories, but I checked all files by date (as we don’t make updates often and usually know within 12 hours of the site being down) so have removed some cache files and plugins that may have been targeted and aren’t realyl necessary to keep. Guess I’ll know soon if it works!

However, I have a plugin called 404 Redirected that tells me when files aren’t found and gives me an option to set-up redirects. Seems that “78 dot 138 dot 104 dot 178” is trying to access gddform.php (one of the main files that appears when the issue is present) after I’ve deleted it. Thought this may be of interest to you.

Ohh and in addition to making my htaccess read only, I’ve setup a redirect for the gddform file to https://www.youtube.com/watch?v=dQw4w9WgXcQ (might not solve the problem, but I hope it sends a message)!

Having the same problem. I’ve deleted some of the same files already because they looked strange. I also had folders called Shirt, Stats, coookies, Sagittarius, etc. Deleted those. All in root folder.

I’m running a complete scan now. How do I know what to delete? Everything that shows up in potential threats?

Don’t delete the Potential Threats unless you can verify that they are malicious. My plugin will automatically remove the Known Threats for you. Keep in mind, in many cases the infected files contain malicious code and good code too. My plugin will not delete files, it only removes malicious code from the file.