administrator Posted January 13, 2014 Report Share Posted January 13, 2014 Hi, Last night (or the night before) we got hacked via a Wordpress vulnerability, where the the hacker was able to use Wordpress to deposit .htaccess files all over the website. These .htaccess files had redirects that sent users to a Russian site. ... It only affected mobile machines (iphone, androids, ipads) and so I had not noticed it until a day or so ago. How to fix this: The solution is to first fix Wordpress and then remove the .htaccess files. If you try to just remove the .htaccess files, the hack will just recreate new ones. The offending file is typically: /wp-content/uploads/_wp_cache.php So if you find this, check the code and if it is the nefarious russian code, then delete it. This is the beginning of the evil code: RewriteEngine off RewriteCond %{HTTP_USER_AGENT} android [NC,OR] RewriteCond %{HTTP_USER_AGENT} opera\ mini [NC,OR] RewriteCond %{HTTP_USER_AGENT} blackberry [NC,OR] RewriteCond %{HTTP_USER_AGENT} iphone [NC,OR] RewriteCond %{HTTP_USER_AGENT} (pre\/|palm\ os|palm|hiptop|avantgo|plucker|xiino|blazer|elaine) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (iris|3g_t|windows\ ce|opera\ mobi|windows\ ce;\ smartphone;|windows\ ce;\ iemobile) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (mini\ 9.5|vx1000|lge\ |m800|e860|u940|ux840|compal|wireless|\ mobi|ahong|lg380|lgku|lgu900|lg210|lg47|lg920|lg840|lg370|sam-r|mg50|s55|g83|t66|vx400|mk99|d615|d763|el370|sl900|mp500|samu3|samu4|vx10|xda_|samu5|samu6|samu7|samu9|a615|b832|m881|s920|n210|s700|c-810|_h797|mob-x|sk16d|848b|mowser|s580|r800|471x|v120|rim8|c500foma:|160x|x160|480x|x640|t503|w839|i250|sprint|w398samr810|m5252|c7100|mt126|x225|s5330|s820|htil-g1|fly\ v71|s302|-x113|novarra|k610i|-three|8325rc|8352rc|sanyo|vx54|c888|nx250|n120|mtk\ |c5588|s710|t880|c5005|i;458x|p404i|s210|c5100|teleca|s940|c500|s590|foma|samsu|vx8|vx9|a1000|_mms|myx|a700|gu1100|bc831|e300|ems100|me701|me702m-three|sd588|s800|8325rc|ac831|mw200|brew\ |d88|htc\/|htc_touch|355x|m50|km100|d736|p-9521|telco|sl74|ktouch|m4u\/|me702|8325rc|kddi|phone|lg\ |sonyericsson|samsung|240x|x320|vx10|nokia|sony\ cmd|motorola|up.browser|up.link|mmp|symbian|smartphone|midp|wap|vodafone|o2|pocket|mobile|treo) [NC,OR] ... I don't want to post the whole thing for obvious reasons. You should also update you Wordpress install to the latest version. I updated from 3.6 to 3.8 and that solved the problem. Thanks to Andrea for the heads up! Stef Quote Link to comment Share on other sites More sharing options...
Andrea Posted January 13, 2014 Report Share Posted January 13, 2014 Welcome - I'm curious, so. Would visiting with an iPad and being redirected to the Russian site have done any kind of damage to the iPad? Quote Link to comment Share on other sites More sharing options...
administrator Posted January 13, 2014 Author Report Share Posted January 13, 2014 Welcome - I'm curious, so. Would visiting with an iPad and being redirected to the Russian site have done any kind of damage to the iPad? Hmmm ... I can't say for sure as I haven't researched it but I doubt it because Apple has iOS and Mac OSX locked down pretty good. WIth iOS for instance, you have to explicitly give permission to install apps. Stef Quote Link to comment Share on other sites More sharing options...
kralcx Posted January 19, 2014 Report Share Posted January 19, 2014 I didn't realize killersites was a wordpress site? Quote Link to comment Share on other sites More sharing options...
teejayryan Posted June 23, 2014 Report Share Posted June 23, 2014 Hi there, Just registered with this forum so I could come in personally & thank you for your post. I had massive headache trying to work out what was going on, with my website company blaming my ISP/wifi, and my virus scans showing nothing. THEN - along comes your post, and I've found the code (in the root directory hta file), and identified the few lines of muck that sholdn't be there and cleaaaannned it. CHEERS! Quote Link to comment Share on other sites More sharing options...
administrator Posted June 24, 2014 Author Report Share Posted June 24, 2014 Hi, Glad most post helped and thanks for letting me know. That's why I post things on the forum ... something I started doing back in 2003 on the old KillerSites forum!!! Quote Link to comment Share on other sites More sharing options...
administrator Posted June 24, 2014 Author Report Share Posted June 24, 2014 I didn't realize killersites was a wordpress site? Nope. Just the blog part. KillerSites actually started as a static site back in 1996 ... if you dig, you can still find the old pages. Stef Quote Link to comment Share on other sites More sharing options...
administrator Posted June 24, 2014 Author Report Share Posted June 24, 2014 BTW, Because of Wordpress is vulnerable, you must keep it up to date and clean of any old plug-ins and remove all unused themes. Now you can set WP to auto update itself and that is probably a good thing to enable. For our new sites, we are rolled out our own ultra simple blog engine based on the PHP Laravel framework. For example: swiftplayground.org One of the things that makes Wordpress so vulnerable is the fact that everyone has access to the source code - the holes are much easier to find that way. With our own blog engine, people don't know exactly what we are doing behind the scenes, so that affords some level of security there. .... Although, you shouldn't have mentioned that we use Laravel! Check out the screenshots .... Stef Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.