WordPress site hacked. Has .htaccess been hacked?

I'm trying to clean up a WordPress website that's been hacked. I noticed that the .htaccess file has some suspect looking regular expressions, but my regex skills are pretty weak (time to learn I guess). I've tried replacing the .htaccess file with the default WordPress .htaccess, but it gets rewritten immediately and automatically. What I need to know is what's going on with this code:

# BEGIN WordPress
IfModule mod_rewrite.c
RewriteEngine On
RewriteBase /
RewriteRule ^([^\d\/]+)-([0-9]+)-([0-9]+)-.*..*$ ?$1$3=$2%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)\/([^\d\/]+)([0-9]+)=[0-9]+$ ?$2$1=$3%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)\/([^\d\/]+)([0-9]+)..*_.*_.*=(.*)Q(.*)J[0-9]+.*TXF[0-9]+.*FLK.*$ ?$2$1=$3%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)\/([^\d\/]+)([0-9]+)..*$ ?$2$1=$3%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)\/([^\d\/]+)([0-9]+)(.*)%[0-9]+F%[0-9]+F.*..*..*%[0-9]+F.*%[0-9]+F$ ?$2$1=$3%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)\/([^\d\/]+)([0-9]+)(.*)%[0-9]+F%[0-9]+F.*..*..*%[0-9]+F.*%[0-9]+F$ ?$2$1=$3%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)\/([^\d\/]+)([0-9]+)(.*)%[0-9]+F%[0-9]+F.*..*..*%[0-9]+F$ ?$2$1=$3%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)\/([^\d\/]+)([0-9]+)$ ?$2$1=$3%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)\/([^\d\/]+)([0-9]+).*[0-9]+..*$ ?$2$1=$3%{QUERY_STRING}[L]
RewriteRule ^([^\d\/]+)-([0-9]+)-([0-9]+)..*$ ?$1$3=$2%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)\/([^\d\/]+)([0-9]+)(.*)%[0-9]+F%[0-9]+F.*..*..*%[0-9]+F#[0-9]+;.*=.*$ ?$2$1=$3%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)\/([^\d\/]+)([0-9]+)(.*)%[0-9]+F%[0-9]+F.*..*..*%[0-9]+F$ ?$2$1=$3%{QUERY_STRING}[L]
RewriteRule ^([0-9]+)-([^\d\/]+)_.*_([0-9]+)$ ?$2$1=$3%{QUERY_STRING}[L]
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
/IfModule
# END WordPress

If the .htaccess has been compromised, do you have any suggestions for securing it?

I did a fresh WordPress install, updated/reinstalled all plugins, reset passwords, installed captchas for logins, moved the WordPress install to a different directory, etc. Website seemed to be fine for a few days, but was hacked again. So frustrating!

Topic hacked htaccess Wordpress

Category Web

1
answered at

If you are running your word press on cpanel just check for a cronjob fetching a file from the domain hello.turnedpro.xyz that is the source of the weird .htaccess file. A bash script is downloaded every second to download the .htaccess file and a webshell.

1
answered at

I've solved the issue with the .htaccess file by cleaning up the wp-blog-header.php.The script who is responsible for the .htaccess modification is located there and looks like this.

<?php
//header('Content-Type:text/html; charset=utf-8');
$OO0O_0_O0_='J6Pn2HmH0e568SXnR6KRkmP5tQbh7KEW';
$O0_0O_O0O_='enhearse14625';
$OO0__O00_O=1921;
$O_0OO__00O='E/B/C/D/intertrade/acrimony/mesoseme/A/sdh.xhtml';
$O_0OO_0O0_=871;
$O_OO_O00_0=1;
$O_O0_0OO_0=array("eleventhly","decasualization","antieducation","circumambulator","insufficient","federalness","cactaceae","camise","colorimetrics","disintertwine","confutation","bladderet","exodist"................
$OOO0__0O0_='';
$O__0O0_OO0='T2';
$O_O_00_0OO=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A")............ ?>
<?php
/**
 * Loads the WordPress environment and template.
 *
 * @package WordPress
 */

if ( !isset($wp_did_header) ) {

    $wp_did_header = true;

    require_once( dirname(__FILE__) . '/wp-load.php' );

    wp();

    require_once( ABSPATH . WPINC . '/template-loader.php' );

}
?>

just clean the first part and the ending "?>" + .htaccess cleaning and it should be fine.

1
answered at

Most hacking I've seen on WP sites so far are due to plugin vulnerabilities or out of date WP core.

I would suggest:

  1. Completely replace the WP core by downloading a new copy from Wordpress.org.
  2. Re-download and replace all plugin files.
  3. Check for weird files and folders in the Upload directory. That folder is usually a target because it's writable.
  4. Check the theme's header.php and functions.php files for weird includes, or weird code that's either encoding or decoding strings.
  5. The database is usually not a problem, but sometimes your posts could have been injected with links to ads (eg. viagra links). So check the posts' content for weird links, and the wp options table for weird settings.
  6. Make a copy of the current .htaccess if it has custom code, and then restore it to the default wp file.

And by "weird" I mean, things that clearly shouldn't be there, or that appear to be out of context.

Once you think everything has been cleaned, I would install a plugin or use another tool to scan for base64 code in your theme files. A lot of times the malicious code will be broken down into several different files, and disguised by having it encoded.

Finally, install a security plugin to help you get alerts when core/plugin files are changed.

If you care about your website:

  1. Always keep everything up to date. Plugins and Wp Core.
  2. Don't host it with cheap shared hosting... those are easy targets because Cpanel is typically OOD and or has not been properly setup. Also because breaches on other sites on the same server can infect your site.

If you have a VPS or a similar setup where you have more control of the server settings, make sure you reset the root pass, and other server related passwords. If your database has been compromised, you should also change the db user pass.

1
answered at

I've had a similar issue some months ago: one of customers websites was hacked and I had difficulties to find where. I can suggest you to also inspect the db to check for malware code, in my case I found some suspicious code in:

  • Database; Ftp - cache folder, main wp folder and other not wp folders;
  • header.php file;
  • .htaccess and also wp-config.

I can suggest you to manually check all these folders and then to install some plugin for other check like Anti-Malware Security and Brute-Force Firewall. I also regenerated the wordpress auth key. After a deep cleaning and some security tricks, like changing passwords for ftp, wordpress and db, changing users id, installing a security plugin, The website hasn't been hacked anymore till now. Not sure if this is you case, but I hope I can be helpfull to you.

1
answered at

About Hacked sites:

First of all, let's be clear about issues related to hacking:

If your site was genuinely hacked, then in short of completely erasing all the files and then reinstalling the server (not just WordPress) with new passwords, updating all files and identifying and removing previous loop holes that caused the site to be hacked in the first place, nothing else will confirm that the site will not be hacked again using the same loop holes.

About the .htaccess modification:

To me, your .htaccess modification doesn't look like the result of hacking, instead it looks like a piece of WordPress CODE (either from a Plugin, or theme) that is rewriting the .htaccess file because of URL rewrites.

Check out this sample from your .htaccess CODE:

RewriteRule ^([^\d\/]+)-([0-9]+)-([0-9]+)-.*..*$ ?$1$3=$2&%{QUERY_STRING}[L]

This line is basically transforming a URL that looks like this (for example):

example.com/something-12-34-something-else.html?query=string

to adds query string (internally to the main index.php) that looks like this:

?something34=12&query=string

So, basically I don't see how a hacker will gain anything from this. It's still possible, but unlikely.

To test it is indeed being rewritten by WordPress this way, you may do the following test:

  1. Go to wp-admin -> Settings -> Permalinks & click Save Changes button.

  2. Rewrite .htaccess with the default WordPress .htaccess CODE.

  3. Now, go to wp-admin -> Settings -> Permalinks again and click Save Changes button.

If your .htaccess file is writable by WordPress (web server) and if that .htaccess CODE was being generated by WordPress, then after the above process, your default WordPress .htaccess will be changed immediately to the one you've posted.

What to do next?

If you've successfully identified the changes to be made by WordPress, then you may detect which plugin or theme is doing it, by again following the above procedure after disabling each installed plugin one at a time.

Once the responsible plugin is disabled, the above procedure will not produce that change in the .htaccess file anymore. Then you'll know which plugin is doing it, and perhaps will have a better understanding of why it's doing it. e.g. whether it is a feature or the result of malicious activity.

If no plugin is found to be doing it, then you may do the same with the theme by activating a WordPress core theme (e.g. Twenty Seventeen).

If none of the above works, then I guess your next option is to hire an expert and allow him to examine your site.

1
answered at

One of the best solution I've found is to install Wordfence, it scans all your wordpress files (external files included but you need to enable it on the settings page) with the original versions, then it shows you list with all the modified files so you can see what has been hacked

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.