Jump to content
Killersites Forums

Wordpress Hacked, Redirects To Russion Site.


Recommended Posts



Last night (or the night before) we got hacked via a Wordpress vulnerability, where the the hacker was able to use Wordpress to deposit .htaccess files all over the website. These .htaccess files had redirects that sent users to a Russian site.




... It only affected mobile machines (iphone, androids, ipads) and so I had not noticed it until a day or so ago.


How to fix this:

The solution is to first fix Wordpress and then remove the .htaccess files. If you try to just remove the .htaccess files, the hack will just recreate new ones. The offending file is typically:





So if you find this, check the code and if it is the nefarious russian code, then delete it. This is the beginning of the evil code:



RewriteEngine off
RewriteCond %{HTTP_USER_AGENT} android [NC,OR]
RewriteCond %{HTTP_USER_AGENT} opera\ mini [NC,OR]
RewriteCond %{HTTP_USER_AGENT} blackberry [NC,OR]
RewriteCond %{HTTP_USER_AGENT} iphone [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (pre\/|palm\ os|palm|hiptop|avantgo|plucker|xiino|blazer|elaine) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (iris|3g_t|windows\ ce|opera\ mobi|windows\ ce;\ smartphone;|windows\ ce;\ iemobile) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (mini\ 9.5|vx1000|lge\ |m800|e860|u940|ux840|compal|wireless|\ mobi|ahong|lg380|lgku|lgu900|lg210|lg47|lg920|lg840|lg370|sam-r|mg50|s55|g83|t66|vx400|mk99|d615|d763|el370|sl900|mp500|samu3|samu4|vx10|xda_|samu5|samu6|samu7|samu9|a615|b832|m881|s920|n210|s700|c-810|_h797|mob-x|sk16d|848b|mowser|s580|r800|471x|v120|rim8|c500foma:|160x|x160|480x|x640|t503|w839|i250|sprint|w398samr810|m5252|c7100|mt126|x225|s5330|s820|htil-g1|fly\ v71|s302|-x113|novarra|k610i|-three|8325rc|8352rc|sanyo|vx54|c888|nx250|n120|mtk\ |c5588|s710|t880|c5005|i;458x|p404i|s210|c5100|teleca|s940|c500|s590|foma|samsu|vx8|vx9|a1000|_mms|myx|a700|gu1100|bc831|e300|ems100|me701|me702m-three|sd588|s800|8325rc|ac831|mw200|brew\ |d88|htc\/|htc_touch|355x|m50|km100|d736|p-9521|telco|sl74|ktouch|m4u\/|me702|8325rc|kddi|phone|lg\ |sonyericsson|samsung|240x|x320|vx10|nokia|sony\ cmd|motorola|up.browser|up.link|mmp|symbian|smartphone|midp|wap|vodafone|o2|pocket|mobile|treo) [NC,OR]


... I don't want to post the whole thing for obvious reasons.



You should also update you Wordpress install to the latest version. I updated from 3.6 to 3.8 and that solved the problem.


Thanks to Andrea for the heads up! :clap:




Link to comment
Share on other sites

Welcome - I'm curious, so. Would visiting with an iPad and being redirected to the Russian site have done any kind of damage to the iPad?

Hmmm ... I can't say for sure as I haven't researched it but I doubt it because Apple has iOS and Mac OSX locked down pretty good. WIth iOS for instance, you have to explicitly give permission to install apps.



Link to comment
Share on other sites

  • 5 months later...

Hi there,


Just registered with this forum so I could come in personally & thank you for your post.


I had massive headache trying to work out what was going on, with my website company blaming my ISP/wifi, and my virus scans showing nothing.


THEN - along comes your post, and I've found the code (in the root directory hta file), and identified the few lines of muck that sholdn't be there and cleaaaannned it.



Link to comment
Share on other sites



Because of Wordpress is vulnerable, you must keep it up to date and clean of any old plug-ins and remove all unused themes. Now you can set WP to auto update itself and that is probably a good thing to enable.


For our new sites, we are rolled out our own ultra simple blog engine based on the PHP Laravel framework. For example:




One of the things that makes Wordpress so vulnerable is the fact that everyone has access to the source code - the holes are much easier to find that way. With our own blog engine, people don't know exactly what we are doing behind the scenes, so that affords some level of security there.


.... Although, you shouldn't have mentioned that we use Laravel!  :unsure:




Check out the screenshots ....



Screen Shot 2014-06-23 at 9.52.42 PM.png

Screen Shot 2014-06-23 at 9.52.22 PM.png

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...