Ongoing htaccess hacks – mobile device htaccess redirect hack

[amsweb]

Hello,

We are running WP3.9 and have had issues with repeated hacks on the site.  Previously it was a base64 type hack that infected numerous files.  We cleaned those up, removed many malicious files, updated all plugins, changed all passwords (admin, FTP, database).  We haven’t had any more issues with base64 style hacks, but the htaccess file is hit once weekly and additional entries are added to redirect mobile users to malicious sites.

We implemented Bulletproof on August 1 and used the Secure.htaccess method, hoping that this would stop this issue, but it continues to happen.  We’ve had about 3 issues with the rewrites since that implementation.  The interesting thing is that the datestamp on the .htaccess file never changes.  There is NO unauthorized access in wordpress admin, so I’m not real sure how this is happening.

My question I guess is, am I using BPS correctly?  Shouldn’t it be preventing these unauthorized changes to .htaccess?

 

[AITpro Admin]

My question I guess is, am I using BPS correctly?  Shouldn’t it be preventing these unauthorized changes to .htaccess?

A simple analogy for when your website is already hacked before installing BPS is:  If BPS is the bank vault door and the hackers are already in the bank vault then BPS can slow them down a bit, but the hackers are already in the bank vault.

If the hack is ongoing then you missed some hacker files.  This is an unsettling fact, but unfortunately it is a fact – if the hackers have managed to upload 1 hacker Shell script somewhere under you entire hosting account then they can control your entire hosting account and modify any/all websites under that hosting account at any time.  So if you have not found that root source hacker Shell script then they will continue to control your hosting account and can recreate the end result symptoms, which are the mobile device redirect code.  The important thing to note is the root source of this hack would be the hacker Shell script, which is basically a WordPress Admin Dashboard on steriods and the end result symptoms are file edits to any/all files under your entire hosting account.

To sum everything up you have not found the root source of the hack yet if you are still seeing “end result symptoms” of the root source hacker file/hacker Shell script.  See the forum topic link below for additional info on hacked website cleanup and the WordPress.org forum link.

http://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/

A common place that hackers are hiding the hacker files for this particular htaccess mobile device redirect hack is in the /wp-includes/pomo/ folder.  Instead of trying to manually remove files one by one you should instead delete all WordPress folders and files and upload new WordPress folders and files.  The link above has steps for what I personally recommend that you do, but you can try to manually find all the files.  Typically that is very time consuming and does not guarantee that you found all the hacker’s files.

http://wordpress.org/support/topic/problems-viewing-site-on-mobile-iphone-htaccess-related

[amsweb]

Thank you for the reply. This certainly helps.

A common place that hackers are hiding the hacker files for this particular htaccess mobile device redirect hack is in the /wp-includes/pomo/ folder.

I knew that folder was needed but I didn’t investigate each file in there and when I went to view one, MS Security Essentials prevented me from looking at it, so I deleted it from the server.

In case it helps anyone else, I found that the 5 files in this directory should be;
entry.php
mo.php
po.php
streams.php
translations.php

I am going to ride this out again and see if this closes the door. If it doesn’t, I may first replace those 5 files with fresh ones, and if that still doesn’t do it, then tear down the install and start over like you mentioned.

I’ll add too that other plugins such as WordFence did not see this malicious file, so it again reiterates your point that plugins can’t find all the malicious files.

[AITpro Admin]

Yep, it is always worth a shot to see if you can do a manual cleanup, but watch/monitor all of your sites like a hawk for at least a week.  It can be a very time consuming thing to create multiple new websites if you have a lot of them under your hosting account.  If you do end up having to install new sites then keep in mind that since WordPress Core/application files are easily replaced by deleting old Core files and uploading new Core files then there really is not any need to backup WordPress Core files.  For your personal folders/files it is a good idea to back those up.

Yep, scanners cannot detect hacker files that are intentionally designed to be undetectable by scanners, which is really simple to do if the hacker uses standard PHP functions and does not use any typical obfuscation methods.  Since all PHP code whether it is used for good or for bad is all the same PHP functions then scanners look for common standard PHP functions that hackers use.  If the hacker file does not contain any commonly used PHP functions used by hackers or any obfuscated code then it will look like just a regular/standard/good php file to any scanners and they will not flag the file as suspicious or malicious.

[Author]

Posts