I have been well and truly Hacked

Didn’t help. Updated all WordPress versions to the newest version and scanned all for TimThumb vulnerability, fixing any I saw. Nothing helped. Still rewtriting the .htaccess files. Ughhhh

Weird that I have hosting account with LunarPages and they called me 3 days ago asking me if I wanted them to remove the backup server files on my account. I have regular backups of my websites so I told them to delete it. Fast forward days later, I started getting the redirects on my server. Seems they were aware of this going to happen and wanted to remove any backups possible. Kinda sketchy to me plus I just renewed my hosting account with them. I think they are money hungry greedy bastards and are aware of this but havent acted upon this. I will give them a call and see whats going on because I havent been able to resolve this on my own. I correct the htaccess files then minutes later, they rewrite again.

I have installed BulletProof yesterday and the wordpress installation is still clean today. Before installing BulletProof I deleted all htaccess files manually. There was a hacked .htaccess file in the root directory too, not only in the wordpress directory. I deleted that file and place one to block certain Domains. Also gave the rights 644 to protect overwriting. The content of the .htaccess file I placed in the root is:

#——————–
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?https://urlquery.net.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?https://uaroyalysdaliachu.ru.*$ [NC]
RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?https://bannortimqimulta.ru.*$ [NC]
RewriteRule .* – [F,L]

# Protect the htaccess file
<files .htaccess>
order allow,deny
deny from all
</files>
#——————–

Beside this I noticed that there was placed a directory called “img” in the wp-admin directory (check also wp-include directory). This contained some .html files and images that where placed by the hack. I deleted the whole directory.

Of course I did a backup before doing any modifications.
Now I will check the installation regularly and hope that it will remain clean.

Could you tell me more about the images names placed by the hack you found?

I’ve got exactly the same problem with a few wordpress sites. I’ve tried so many things… changed passwords, reintalled wordpress, antispyware, code, rewrite .htaccess and change permissions… I note an important thing: even when directories on my server that redirect to the respective URLs are empty, those URLs are redirected to bannor….ru

I’m trying now to move the content of those directories into others news… How’re you going?

@upango – it looks like whatever malicious script that’s running just targets any and all files beginning with a . (namely .htaccess) and replaces them, regardless if it’s WordPress or not and affecting ALL directories and sub-directories with such a file.

Running the top command after gaining shell access verified it was a .php file that was running and overloading my server.

Luckily, upon attempting to backup my directories, Windows Security Essentials of all programs noticed that /wp-includes/unzip.php on one of my many installed contained backdoor script (https://pastebin.com/dfYyMX1a) and seemed to pinpoint the exact problems I was having. Unfortunately, it also gained access to all the database and config files, so now I’m going to have to reset the passwords ASAP and nuke the file.

In simple, check your installs for sketchy PHP files like this and re-secure your site after finding and nuking them.

Will keep you updated as to if this is a permenant fix.

Thank you very much for the info! I’ll review and tell you…

Also just discovered another example of malicious code in ‘wp-content\uploads\_wp_cache.php’. This time it was malicious code in the form of “<?php preg_replace” which, from what I understand, is encoded base64, and may be the root of all this, as when I ran the TimThumb vulnerability scanner plugin last night, it alerted me that this directory may have already been taken advantage of as timthumb was insecure on one theme of mine.

@georg.r – Just wondering if any of your edits to the permissions of the .htaccess file and edited/blocked .htaccess file did the job? From what I’m experiencing, don’t think it would as the script basically makes it seem as though it’s you, as it has all your passwords and everything.

I have the same problem and have been following this post closely. Nothing that I’ve tried has worked.

My hosting company (NetFirms) has been no help. They ran a scan and deleted the .htaccess files, but as we know…they get re-generated.

Thanks for sharing the updates and ideas. Hopefully one of us will solve this issue soon.

Files are almost done downloading. I had ~3gb worth of installs and files on my shared hosting. Will nuke the files, change my passwords and replace the .htaccess files and do a few hour test run and report back later tonight. Fingers crossed.

Okay. Everything looks okay to me and is still going strong and unhacked about 20 minutes later. Knock on wood.

The steps I took to “clean” my site were and up security were:
1) Download everything via FTP and export all wordpress data from each instance of WordPress.
2) From the backup files, run a scan on it with Microsoft Security Essentials (would assume other virus programs would recognize the backdoor files as well). Note any alerts, but allow/ignore the virus scan’s request to delete and/or quarantine.
3) Open your editor (I used Dreamweaver) and open those files containing the malicious code.
4) Search for any and all files in your backup directory you just downloaded that contain the malicious code. In my case I searched for “<?php preg_replace” and “<?php # Web Shell by oRb” and ended up finding five additional files with this malicious script in the following dirs:

• /public_html/wp-content/uploads/_cache.php
• /public_html/***/wp-includes/unzip.php
• /public_html/*********/wp-includes/unzip.php
• /public_html/*********/wp-content/uploads/_wp_cache.php
• /www/wp-content/uploads/_cache.php
• /www/*********/wp-includes/unzip.php
• /www/*********/wp-content/uploads/_wp_cache.php

5) I then went on my server via FTP, deleted those suspicious files.
6) Then I went on and changed my FTP password, my hosting password, my MySQL password and the password to any MySQL users that wordpress automtically generates when it installs on some hosts.
7) I edited the wp-config.php files in each WordPress instance directory to contain the new password I just changed.
8) I loaded those new wp-config.php files to the server in the root of each directory.
9) I replaced the .htaccess file using BulletProof Security.
10) I checked my site via Sucuri to make sure no malicious code was running, and all check out fine, and have been for appx 30-40 minutes now.

Will update you guys a little later this evening and tell you if it’s still working.

Still working!

Nice. So assuming I have the same files with bad code, I could just skip to step 5? Will deleting those files mess anything up with WordPress or are those files just there for the malicious code?

Thanks.

Those files were just for malicious code from what I could see. I would caution against skipping to #5 as the virus scan only picked up 2 out of all those files listed. Better to be safe than sorry.

Also, looks like one file was the injection point in base64 code while the other was the web shell that executed it an changed everything, and copied all your wp-config files. So, in short, they have your passwords as well, which is why I changed everything. Wouldn’t skimp on any part.