Jump to content
Killersites Community
administrator

Wordpress Hacked, Redirects To Russion Site.

Recommended Posts

Hi,

 

Last night (or the night before) we got hacked via a Wordpress vulnerability, where the the hacker was able to use Wordpress to deposit .htaccess files all over the website. These .htaccess files had redirects that sent users to a Russian site.

 

:bash:

 

... It only affected mobile machines (iphone, androids, ipads) and so I had not noticed it until a day or so ago.

 

How to fix this:

The solution is to first fix Wordpress and then remove the .htaccess files. If you try to just remove the .htaccess files, the hack will just recreate new ones. The offending file is typically:

 

 /wp-content/uploads/_wp_cache.php

 

 

So if you find this, check the code and if it is the nefarious russian code, then delete it. This is the beginning of the evil code:

 

 

RewriteEngine off
RewriteCond %{HTTP_USER_AGENT} android [NC,OR]
RewriteCond %{HTTP_USER_AGENT} opera\ mini [NC,OR]
RewriteCond %{HTTP_USER_AGENT} blackberry [NC,OR]
RewriteCond %{HTTP_USER_AGENT} iphone [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (pre\/|palm\ os|palm|hiptop|avantgo|plucker|xiino|blazer|elaine) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (iris|3g_t|windows\ ce|opera\ mobi|windows\ ce;\ smartphone;|windows\ ce;\ iemobile) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (mini\ 9.5|vx1000|lge\ |m800|e860|u940|ux840|compal|wireless|\ mobi|ahong|lg380|lgku|lgu900|lg210|lg47|lg920|lg840|lg370|sam-r|mg50|s55|g83|t66|vx400|mk99|d615|d763|el370|sl900|mp500|samu3|samu4|vx10|xda_|samu5|samu6|samu7|samu9|a615|b832|m881|s920|n210|s700|c-810|_h797|mob-x|sk16d|848b|mowser|s580|r800|471x|v120|rim8|c500foma:|160x|x160|480x|x640|t503|w839|i250|sprint|w398samr810|m5252|c7100|mt126|x225|s5330|s820|htil-g1|fly\ v71|s302|-x113|novarra|k610i|-three|8325rc|8352rc|sanyo|vx54|c888|nx250|n120|mtk\ |c5588|s710|t880|c5005|i;458x|p404i|s210|c5100|teleca|s940|c500|s590|foma|samsu|vx8|vx9|a1000|_mms|myx|a700|gu1100|bc831|e300|ems100|me701|me702m-three|sd588|s800|8325rc|ac831|mw200|brew\ |d88|htc\/|htc_touch|355x|m50|km100|d736|p-9521|telco|sl74|ktouch|m4u\/|me702|8325rc|kddi|phone|lg\ |sonyericsson|samsung|240x|x320|vx10|nokia|sony\ cmd|motorola|up.browser|up.link|mmp|symbian|smartphone|midp|wap|vodafone|o2|pocket|mobile|treo) [NC,OR]

 

... I don't want to post the whole thing for obvious reasons.

 

 

You should also update you Wordpress install to the latest version. I updated from 3.6 to 3.8 and that solved the problem.

 

Thanks to Andrea for the heads up! :clap:

 

 

Stef

Share this post


Link to post
Share on other sites

Welcome - I'm curious, so. Would visiting with an iPad and being redirected to the Russian site have done any kind of damage to the iPad?

Share this post


Link to post
Share on other sites

Welcome - I'm curious, so. Would visiting with an iPad and being redirected to the Russian site have done any kind of damage to the iPad?

Hmmm ... I can't say for sure as I haven't researched it but I doubt it because Apple has iOS and Mac OSX locked down pretty good. WIth iOS for instance, you have to explicitly give permission to install apps.

 

Stef

Share this post


Link to post
Share on other sites

Hi there,

 

Just registered with this forum so I could come in personally & thank you for your post.

 

I had massive headache trying to work out what was going on, with my website company blaming my ISP/wifi, and my virus scans showing nothing.

 

THEN - along comes your post, and I've found the code (in the root directory hta file), and identified the few lines of muck that sholdn't be there and cleaaaannned it.

 

CHEERS!

Share this post


Link to post
Share on other sites

Hi,

 

Glad most post helped and thanks for letting me know.

 

That's why I post things on the forum ... something I started doing back in 2003 on the old KillerSites forum!!!

Share this post


Link to post
Share on other sites

I didn't realize killersites was a wordpress site?

Nope. Just the blog part.

 

KillerSites actually started as a static site back in 1996 ... if you dig, you can still find the old pages.

 

Stef

Share this post


Link to post
Share on other sites

BTW,

 

Because of Wordpress is vulnerable, you must keep it up to date and clean of any old plug-ins and remove all unused themes. Now you can set WP to auto update itself and that is probably a good thing to enable.

 

For our new sites, we are rolled out our own ultra simple blog engine based on the PHP Laravel framework. For example:

 

swiftplayground.org

 

One of the things that makes Wordpress so vulnerable is the fact that everyone has access to the source code - the holes are much easier to find that way. With our own blog engine, people don't know exactly what we are doing behind the scenes, so that affords some level of security there.

 

.... Although, you shouldn't have mentioned that we use Laravel!  :unsure:

 

:D

 

Check out the screenshots ....

 

Stef

Screen Shot 2014-06-23 at 9.52.42 PM.png

Screen Shot 2014-06-23 at 9.52.22 PM.png

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×