Where to start on this .htaccess issue

Ok – this looks very like a hack.
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Since the hack uses Thumbs.db, it might be especially important to read the last link as it describes hack backdoors disguised as image files.

The site was hacked with an automated hack if I recall correctly.

I’ll go through the above posts one by one but I believe we cleared out any “issues” back when. I’ve used and use the exploit scanner and whilst it throws up queries on some of the plugins it throws them up whether it’s a clean install or even if that same plugin is used on one of my own personal blogs.

So that indicates to me that the scanner is picking up on coding that “could” be used but in these cases isn’t. IYSWIM ??

Anyway, again thank you and I will go through the process …. again ??

My WordPress site got hit by the same malware and I wanted to share details. The infected files were dated May 7, 2011, about the same time as stubbyd’s report.

My site was running either WordPress 3.1.1 or 3.1.2 at the time (I believe 3.1.2). User account creation is disabled. The site had these plugins installed at the time:

• Akismet 2.5.3
• Blackbird Pie 0.5.1 (installed but disabled)
• FeedBurner FeedSmith 2.3.1
• Google Analyticator 6.1.3
• Google XML Sitemaps 3.2.4
• Hello Dolly 1.6 (installed but disabled)

There are no CGI scripts or other custom code located on the server – only WordPress. I did have all WordPress files set with ownership by the Apache user (bad practice, I admit).

In addition to creating the Thumbs.db payload file and appending the PHP reference above to the end of .htaccess, the malware also modified most PHP files in the root WordPress folder (notably not wp-config.php or a couple others) to include an eval() call to its payload wherever it found a <?php open tag. PHP files in WordPress subfolders fortunately weren’t modified. Themes and plugins were not infected.

Even better news is that I can’t find any evidence of infection in the WordPress database itself. Simply overwriting all the core WordPress files with stock versions seems to eradicate the malware. I also upgraded WordPress to the latest version (3.1.3) and hardened my file permissions so the Apache user can no longer modify files.

I’m convinced this is an underpublicized exploit in WordPress or one of the above plugins. If anyone else who got bit can post their WP and plugin versions, it would help narrow it down. I also found a description of this malware on this site, posted in the past week:

https://www.neubreed.com.au/blog/2011/06/how_clean_after_thumbsdb_wordpress_and_php_auto_append_file_exploit_hack

I only discovered my site was infected when Google Webmaster tools alerted me, so fortunately major browsers and search engines should be aware of this one by now. Good luck to anyone else who gets bit.

@stubbyd: have you solved this yet? If not, see the link posted above by @sameprob for how to clean up. It was very helpful for me.

As it happens I’d forgotten about this post and for whatever reason I didn’t see the response from “sameprob”

However I did read the stuff supplied via “esmi” and it would appear that I concluded on doing the same as “sameprob”.

Effectively I overwrote all core files (again) and for each plugin that the security scanner said was suspect (a number of them detailed by sameprob) I replaced with fresh versions – since having done that I haven’t seen any further repeats of the problem.