Unusual hack. WordPress htaccess redirect for search engines only.

I had a couple of clients complaining that their wordpress sites had been hacked.

I went to their site and saw nothing out of place.  A quick check of their index.php file and database didn’t show anything up which is where they usual strike.

I requested further information at which point the clients finally mentioned that it was google that was saying the sites were compromised and showing pharmacy links.

With this new information a quick look at all the files in the site looking for the most recently modified.

ls -lat

is your friend here.

This showed that the most recently modified files were
.htaccess
session.php
common.php

A quick look in the files showed the cause and the problem.

# Apache search queries statistic module
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|aol|bing|crawl|aspseek|icio|robot|spider|nutch|slurp|msnbot) [OR]
RewriteCond %{HTTP_REFERER} (google|aol|yahoo|msn|search|bing)
RewriteCond %{REQUEST_URI} /$ [OR]
RewriteCond %{REQUEST_FILENAME} (shtml|html|htm|php|xml|phtml|asp|aspx)$ [NC]
RewriteCond %{REQUEST_FILENAME} !common.php
RewriteCond %{DOCUMENT_ROOT}/common.php -f
RewriteRule ^.*$    /common.php [L]
</IfModule>

The two php files were encrypted using

eval(base64_decode(...........))

As you can see the .htaccess file is checking to see if it is a search engine visiting and if so redirect to common.php  which pumps the pharma pages/links.
If is is a normal visitor ie you or me it returns the proper page.

The effect of this is to push the targeted sites up the search rankings by appearing more popular than they actually are.  Google have caught onto this ploy and now tag the sites as compromised.

To fix this simply delete all three files and reset the ftp password.

In case you are wondering the users were compromised because they used weak FTP passwords.   They have been educated on this now and a new password difficulty test has been put in place with respect to choosing new passwords.

To do a server wide test for this hack use the following command.

find /var/www/vhosts/*/httpdocs/.htaccess -print | xargs grep -l "common.php"

Obviously change the path if it is different on your server (this one is for a plesk/Centos server)

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.