I’m sure many people can relate to the situation I was in just a few short weeks ago. Been dating someone for years, feeling safe, comfortable, and solid in your relationship. Get in to a sort of “routine” where you do the same things daily, hanging out together, going to bed together, watching your TV shows every week. Hell, even get a dog that you both love and take care of together.
So you do what everyone else does when the relationship is going great and you are completely in love…you go have a ring custom designed and hand made to her exact specs. You make plans to go talk to her parents for permission to propose, and you make the final arrangements to do an amazing proposal straight out of a movie on your upcoming vacation to Cancun.
And what do you get for all that? You get told that apparently there are some issues that are too big to resolve that have now rendered you incompatible. You get broken up with a few days before your 29th birthday and your 2 year anniversary. Instead of spending those 2 awesome days celebrating, you spend them alone, miserable, with a set of rings you can’t bear to look at.
There are some things that can’t be forgiven. This is one of them. I can’t ever look at someone again who could do this to me.
I guess there’s still a good reason I tattooed “Better Off Alone” on my arm. That’s pretty fucking emo, but hey, it’s true.
And seeing this from my never-to-be Mother in Law to my never-to-be sister in law really twisted the knife a bit
So I hate to admit it, but most of the sites that we host were affected by what is to-date the gnarliest wordpress exploit I have ever seen. We have been harrassed a few times by script douches who dick around with the most common wordpress exploits (namely, outdated versions of the software), but we just recently went through and made sure that ALL instances of WP were running current versions. Well out of nowhere we realize that most of our sites are redirecting to russian spam porn URL’s from search engine results. If you go directly to the site URL’s, however, they resolve fine.
Upon some investigation into the .htaccess files, it turns out there was tons of malicious code being added to control the redirects. The first thing I thought was: easy, just remove this junk code and we’re good. So I spend 30 minutes editing .htaccess files on all my instances, and think that the problem is solved. I come back a few hours later to find that ALL of my changes have been overwritten, and the malicious code is back in place. Fucking frustrating!
Now Evan and I spent hours and hours digging through blog posts, and wordpress forums to find some help here. even our web host (hostmonster) was absolutely no help, and most of the forum posts were just people referring others back to the same typical bullshit “how to clean your hacked wordpress site” posts that share the same general logic but don’t address the specific issue here.
So, back to more and more digging. Couldn’t find anything on the specific URL we were redirecting to. Grepp’d all of our sites to find it and its only mentioned in the .htaccess files. Then, I stumble across a sliver of information that mentions the redirect is being handled by a script that may reference “Web Shell by oRb” OR a script called “FilesMan“. I set to grep’ing for these references, and what do you know – we found FilesMan. It was hidden in a php file hidden deep in a Joomla install (/modules dir if I remember correctly) and was called something like wp-12487372.php.
This little bastard had all of the code in it to handle the redirects and rewrites of EVERY .htaccess file on my server.
After finding that, we resolved the issue by deleting the file, and cleaning out every .htaccess file back to their original states (backups!) and installing a wordpress plugin on every site that addresses the TimThumb.php vulnerability. Its called Tim Thumb Vulnerability Scanner, and I suggest you use it. It will find any instance of the file and upgrade them to the latest versions that don’t have the exploit. Then I started installing the Bulletproof Security WordPress Plugin that pretty much locks down your .htaccess files. I’m determined to make sure this never happens again!
Here are some additional notes that I found from researching across the web on ways to resolve this .htaccess redirect issue:
wp.php. If you look at these files you'll see they start with something like this:
<?php # Web Shell by oRb
$auth_pass = "";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251'
A few other resources to help in your un-hacking 🙂
Powered by TechAndTonic.com TechAndTonic.com