Malware problem "exploited .htaccess"
141 views
Skip to first unread message
Perry
Nov 13, 2012, 5:26:01 PM11/13/12
to manchester-word...@googlegroups.com
A WP site I run on a shared host was recently shut down. They sent a report with "Known exploit = [Fingerprint Match] [Exploited .htaccess" showing in a number of folders.
But unfortunately I wasn't able to see the content of the .htaccess files as the host deleted them before I could regain ftp and cpanel access.
I've set up WordPress on the host again but I haven't reinstated the original theme or database.
What should I be looking for in the database and theme templates to ensure these haven't been corrupted?
Cheers
Gyp the Cat
Nov 14, 2012, 4:08:56 AM11/14/12
to manchester-word...@googlegroups.com
Hi Perry,
A shame you couldn't get the htaccess, would have been interesting. I dare say it was running a redirect to some other site that was serving the malware? Any other details than that?
The couple of sites I've investigated I've ran queries like the following against the database (please excuse my GCSE level of SQL...):
select *
from wp_posts
where post_content like '%http%'
and post_content not like '%http://www.gypthecat.com%'
This should tell you all the links to you from the posts that are not linking to your own site. So the same for pages too in your database.
Also have a look through your files for the similar things as above:
grep -r 'http' /path/to/http/directory
This will likely take you a good long time, especially if you have things like embedded Twitter and Analytics.
I suppose if the site has had an .htaccess file created to redirect then it could be an issue with the permission structure in the directory. This could be beyond your permissions to have a look at.
While you're there make sure you don't have any cron jobs running that you don't know about, any executables stashed anywhere. Again dependent on the size of your site this could take a while. Offline the whole lot (stick it on CD), and scan it with an AV, no promises here but it's another test you can do.
Also Google Webmaster Tools sometimes gives decent detail, have a look there too.
Gyp
--
A shame you couldn't get the htaccess, would have been interesting. I dare say it was running a redirect to some other site that was serving the malware? Any other details than that?
The couple of sites I've investigated I've ran queries like the following against the database (please excuse my GCSE level of SQL...):
select *
from wp_posts
where post_content like '%http%'
and post_content not like '%http://www.gypthecat.com%'
This should tell you all the links to you from the posts that are not linking to your own site. So the same for pages too in your database.
Also have a look through your files for the similar things as above:
grep -r 'http' /path/to/http/directory
This will likely take you a good long time, especially if you have things like embedded Twitter and Analytics.
I suppose if the site has had an .htaccess file created to redirect then it could be an issue with the permission structure in the directory. This could be beyond your permissions to have a look at.
While you're there make sure you don't have any cron jobs running that you don't know about, any executables stashed anywhere. Again dependent on the size of your site this could take a while. Offline the whole lot (stick it on CD), and scan it with an AV, no promises here but it's another test you can do.
Also Google Webmaster Tools sometimes gives decent detail, have a look there too.
Gyp
--
See the group blog at http://mwug.info
You received this message because you are subscribed to the Google
Groups "Manchester WordPress User Group" group.
To post to this group, send email to
manchester-word...@googlegroups.com
To unsubscribe from this group, send email to
manchester-wordpress-...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/manchester-wordpress-user-group
--
Gyp The Cat
- An Alter Ego
=====================================================
PRIVACY & CONFIDENTIALITY INFORMATION
=====================================================
This e-mail communication isn't strictly confidential, and chances are I won't mind at all if you forward it to everyone you know and your cat. In fact the only thing I do mind is people sending me chain e-mail after chain e-mail, send me the odd good one, naked bird content is usually a bonus. Or genuinly funny ones. Oh, while we're on this subject, please refrain from sending me any virus warnings. Regardless of how badly it will destroy my PC and kill my house plants if my next door neighbour has a friend who thinks his cousin in Australia may have looked at an icon which was this virus. I will take my chances into my own hands about viruses. Oh yeah, while I'm at it, that 'virus' with the teddy bear icon isn't a virus, and if you've deleted it already don't worry, if you didn't know it wasn't a virus you don't need it. If I ended up sending this e-mail to the wrong person, don't worry about it. But if you know who I was supposed to send it to and can send it on to save me time doing it that'd be great. If not just e-mail me back letting me know I screwed up somewhat and I'll no doubt apologise.
Perry Bonewell
Nov 14, 2012, 4:15:37 AM11/14/12
to manchester-word...@googlegroups.com
Excellent stuff, cheers for that Gyp.
I really need to get my head around SQL, now is a good a time as any to start!
I'll have a dig around and see if anything crops up.
maureen whilby
Nov 14, 2012, 5:44:26 AM11/14/12
to manchester-word...@googlegroups.com
Perry
Out of interest which theme were you using and which plugins? It would be useful to know which things to look out for.
Cheers
Maureen
Date: Wed, 14 Nov 2012 09:15:37 +0000
Subject: Re: [MWUG] Malware problem "exploited .htaccess"
From: pbon...@gmail.com
To: manchester-word...@googlegroups.com
Date: Wed, 14 Nov 2012 09:15:37 +0000
Subject: Re: [MWUG] Malware problem "exploited .htaccess"
From: pbon...@gmail.com
To: manchester-word...@googlegroups.com
Perry
Nov 14, 2012, 6:00:08 AM11/14/12
to manchester-word...@googlegroups.com
Hi Maureen,
I'm pretty certain the theme isn't the problem - it's a custom one that I built (not that that is any recommendation!).
There is an out of date and unsupported plugin on the site though, Flickr Photo Album, which I hope nobody else would think about installing in any case (a legacy thing that needs an alternative solution).
I've reactivated the theme on the site already. I'll gradually reintroduce the other plugins that were on there but I'm definitely not putting the Flickr plugin back!
Perry
On Wednesday, November 14, 2012 10:44:27 AM UTC, maureen whilby wrote:
I'm pretty certain the theme isn't the problem - it's a custom one that I built (not that that is any recommendation!).
There is an out of date and unsupported plugin on the site though, Flickr Photo Album, which I hope nobody else would think about installing in any case (a legacy thing that needs an alternative solution).
I've reactivated the theme on the site already. I'll gradually reintroduce the other plugins that were on there but I'm definitely not putting the Flickr plugin back!
Perry
On Wednesday, November 14, 2012 10:44:27 AM UTC, maureen whilby wrote:
PerryOut of interest which theme were you using and which plugins? It would be useful to know which things to look out for.Cheers
Maureen
Date: Wed, 14 Nov 2012 09:15:37 +0000
Subject: Re: [MWUG] Malware problem "exploited .htaccess"
From: pbon...@gmail.com
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/manchester-wordpress-user-group
--Gyp The Cat- An Alter Ego=====================================================PRIVACY & CONFIDENTIALITY INFORMATION=====================================================This e-mail communication isn't strictly confidential, and chances are I won't mind at all if you forward it to everyone you know and your cat. In fact the only thing I do mind is people sending me chain e-mail after chain e-mail, send me the odd good one, naked bird content is usually a bonus. Or genuinly funny ones. Oh, while we're on this subject, please refrain from sending me any virus warnings. Regardless of how badly it will destroy my PC and kill my house plants if my next door neighbour has a friend who thinks his cousin in Australia may have looked at an icon which was this virus. I will take my chances into my own hands about viruses. Oh yeah, while I'm at it, that 'virus' with the teddy bear icon isn't a virus, and if you've deleted it already don't worry, if you didn't know it wasn't a virus you don't need it. If I ended up sending this e-mail to the wrong person, don't worry about it. But if you know who I was supposed to send it to and can send it on to save me time doing it that'd be great. If not just e-mail me back letting me know I screwed up somewhat and I'll no doubt apologise.
--
See the group blog at http://mwug.info
You received this message because you are subscribed to the Google
Groups "Manchester WordPress User Group" group.
To post to this group, send email to
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/manchester-wordpress-user-group
--
See the group blog at http://mwug.info
You received this message because you are subscribed to the Google
Groups "Manchester WordPress User Group" group.
To post to this group, send email to
To unsubscribe from this group, send email to
Perry
Nov 14, 2012, 6:11:10 PM11/14/12
to manchester-word...@googlegroups.com
Hi Gyp - it looks like you must have an A* in GCSE SQL. The search turned up a post with the following in the post_content field (I won't paste all of it):
"< ?php //Starting calls if (!function_exists("getmicrotime")) {function getmicrotime() {list($usec, $sec) = explode(" ", microtime()); return ((float)$usec + (float)$sec);}} error_reporting(5); @ignore_user_abort(TRUE); @set_magic_quotes_runtime(0); $win = strtolower(substr(PHP_OS,0,3)) == "win"; define("starttime",getmicrotime()); if (get_magic_quotes_gpc()).... etc"
A quick search and it turns out this is a hacker tool.
I haven't found anything else but I'm still checking. Luckily there aren't too many posts on the site!
Perry
"< ?php //Starting calls if (!function_exists("getmicrotime")) {function getmicrotime() {list($usec, $sec) = explode(" ", microtime()); return ((float)$usec + (float)$sec);}} error_reporting(5); @ignore_user_abort(TRUE); @set_magic_quotes_runtime(0); $win = strtolower(substr(PHP_OS,0,3)) == "win"; define("starttime",getmicrotime()); if (get_magic_quotes_gpc()).... etc"
A quick search and it turns out this is a hacker tool.
I haven't found anything else but I'm still checking. Luckily there aren't too many posts on the site!
Perry
To unsubscribe from this group, send email to
For more options, visit this group at
http://groups.google.com/group/manchester-wordpress-user-group
Gyp the Cat
Nov 14, 2012, 7:34:34 PM11/14/12
to manchester-word...@googlegroups.com
Hi Perry,
I'm glad it's of some use to you.
Was thinking on this more today and if they've managed to write to your htaccess then your files could be compromised too.
Are your access logs still intact? That may be another good place to look for naughty php shenanigans which would probably let you whittle down the search some.
Sorry, I'm not trying to give you more work here just pretty much thinking out loud :)
@Maureen, a site I dealt with a while ago appeared to have been compromised through an out of date and insecure plugin. It hadn't been updated in a while and it's vulnerabilities we're documented. Personally I keep an eye on how old a plugin is and if it's had any "negative publicity". Not a fool proof system, but stopping web bots from crawling your plugins directory helps too. Counter "Open Source Intelligence" and all that.
Gyp
To unsubscribe from this group, send email to
Perry Bonewell
Nov 15, 2012, 5:13:39 PM11/15/12
to Manchester WordPress User Group
Cheers Gyp, I went through everything and the site has been back up for nearly 24 hours without any glitches.
It's shared hosting (not one I set up) and there doesn't seem to be any way to access any proper log files, which is frustrating.
Fingers crossed the problem is sorted now.
Thanks for the advice!
It's shared hosting (not one I set up) and there doesn't seem to be any way to access any proper log files, which is frustrating.
Fingers crossed the problem is sorted now.
Thanks for the advice!
Gyp the Cat
Nov 15, 2012, 5:39:08 PM11/15/12
to manchester-word...@googlegroups.com
Hi Perry,
Glad to hear it and happy to help!
Gyp
Glad to hear it and happy to help!
Gyp
Reply all
Reply to author
Forward
0 new messages