Wordpress/Joomla .htaccess injection - HELP! - Webmaster Forums - Webmaster forum for HTML, PHP, ASP, CSS and more

shadal · 03-21-2012, 11:02 PM

I have two domains on the same shared host. Domain1 is running Wordpress 3.3.1 and Domain2 is running Joomla 2.5.3. Both have fresh-installed/updated plugins & themes.

Over the past hour both domains .htaccess files have been modified to include redirects to h**p://solidso.ru/mnp/index.php?Ia twice.

Both files were chmod 444.

The shared host is Webhostinghub.com - I've contacted their support and they suggested I change my passwords (which I had already done prior to the last attack) and update the CMSs (which they are). They sent me a couple links ( h**p://en.wikipedia.org/wiki/Code_injection ) and ( h**p://en.wikipedia.org/wiki/Remote_File_Inclusion ) stating that they contained information on how to prevent injections, which they do I guess, but being that I'm not the developer of these CMS/plugins I do not see how this helps me...

I cannot find any suspicious entries in either domain's error log or access log files.

If this IS some form of injection, wouldn't I at least see a POST statement in the access logs from a different IP than my own?

Any suggestions on what I should do to prevent future attacks?

Edit:
This has now happened a 3rd time - I last left domain1's .htaccess chmod set to 644, it has reverted to 444 after it was hacked... This seems to be something automated & set on some sort of schedule.

Am getting really distraught, what do I do??....

Edit 2:
I found a strange looking wp-sys.php file in domain1's root directory. I've deleted it - keeping fingers crossed...

shadal · 03-22-2012, 02:32 AM

It's still happening - I'm gonna cry

flamescorpion · 03-22-2012, 06:35 AM

You should really change your passwords.

shadal · 03-22-2012, 01:37 PM

Quote:

Originally Posted by flamescorpion

You should really change your passwords.

I have done that with all of my sites 3 times already.

This is no longer just happening to two of my domains, but ALL of my .htaccess files throughout my account. And where there arn't .htaccess files, new ones are created.

The redirect seems to change on occassion, always to a .ru site though. This morning I woke up to visit one of my domains only to have it install a virus (which I'm having a very difficult time removing now from my main computer)...

I'm now deleting one domain/directory off the server at a time, until the hack stops. This should tell me the last domain I delete should contain the rouge file.

MalwareRemovalService.com · 03-27-2012, 11:17 AM

That's because there is a backdoor on one of your sites that needs to be removed. The .htaccess files will continue to be overwritten until that is located and removed. Look for files that have code like "/x65 /x84..." or "eval(base64..." or "FilesMan" in them somewhere. They usually obscure the code so it's not easy to locate.

shadal · 03-27-2012, 01:31 PM

Thanks MRS, that's exactly what the problem was...

After spending a day taking one domain offline at a time until the hack finally stopped, I was able to track down which domain (A Joomla one) contained the culprit.

I've since reuploaded all other domains and have installed everything fresh on the domain that got hacked.

Thanks for the tips!

I still can't believe that I wasn't able to find any suspicious activity in my log files - grr!

krysty · 04-16-2012, 03:05 AM

I also had the same problem.

mizu · 04-21-2012, 09:35 AM

Hi shadal,

do you mind telling what exactly was the weak point? Some plugin, module etc..
I work with Joomla on daily basis, never had such an issue yet. But you never know. So, your info may help to protect my sites better.

Just registered here because of your topic.
Thanks.

tanya.dimple · 06-01-2012, 05:04 AM

Hi

You try installing wordpress plugin to maintain individuality of one site with another on same shared host.
And ask that hosting provider to give you complete control panel .

Regards
Tanya Dimple

04rubin · 06-17-2012, 10:34 AM

hi shadel, still have the problem?