The Latest in IT Security

WordPress sites with .htaccess hacked

18
Aug
2011


The TimThumb.php vulnerability is causing a lot of WordPress sites to get compromised with the superpuperdomain.com and superpuperdomain2.com remote javascript injection.

However, that’s not all that it is doing. On many of the sites we are analyzing, the .htaccess file is also getting modified to redirect search engine and organic traffic to some russian domains. That’s how the compromised .htaccess looks like:

If you are not sure what it is doing, it is basically redirecting any crawler (like Googlebot) and all your error pages to generation-internet.ru. The russian domain is changing often and it can be http://programmpower.ru/force/index.php, powerprogramm.ru, programmengineering.ru, programmpower.ru, software-boss.ru and many others.

This is a small list we collected:

http://software-boss.ru/grammar/index.php

additionalprofit.ru
boss-united.ru
clear-agent.ru
clearagent.ru
face-apple.ru
fightagent.ru
power-update.ru
programmprofit.ru
software-boss.ru
syntaxswitch.ru
window-switch.ru

http://powerprogramm.ru/make/index.php

http://jaobsofterty.ru/in.cgi?2

http://programmengineering.ru/check/index.php

Some times even not .ru domains:
borrowme.bij.pl
buyordie.osa.pl
borrowme.bij.pl
buyordie.osa.pl
lavanda.345.pl
ringostart.osa.pl
aswet.osa.pl

 

What to do?

If you are seeing any of those redirects, we recommend that you check your .htaccess file asap and remove the offending code. You probably also have backdoors hidden in there, so you have do to a full clean up of the whole site, update WordPress, change all the passwords, etc.

If you are not sure, you can scan your site here: http://sitecheck.sucuri.net/ and if you need someone to clean it up for you and secure your sites, sign up here: http://sucuri.net/signup

 

Nothing new

Note that these .htaccess attacks are nothing new. We have been tracking them for years and we even did an article explaining how they work here: Understanding .htaccess attacks.

But it seems they are piggybacking on the latest timthumb.php vulnerabilities to increase the number of sites in their control. They also compromise outdated sites (specially WordPress, Joomla and osCommerce), so if your site is not updated, it can get hacked as well, even if you don’t have the timthumb.php script.

Leave a reply


Categories

WEDNESDAY, OCTOBER 28, 2020
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments