WordPress sites with .htaccess hacked

The TimThumb.php vulnerability is causing a lot of WordPress sites to get compromised with the superpuperdomain.com and superpuperdomain2.com remote JavaScript injection.

However, that’s not all that it is doing. On many of the sites we are analyzing, the .htaccess file is also getting modified to redirect search engine and organic traffic to some Russian domains. Here is what we’re seeing in the compromised .htaccess files:

If you are not sure what it is doing, it is basically redirecting any crawler (like Googlebot) and all your error pages to generation-internet.ru. The Russian domain is changing often and redirecting to places like http://programmpower.ru/force/index.php, powerprogramm.ru, programmengineering.ru, programmpower.ru, software-boss.ru and many others.

Here is a small list we have collected:

http://software-boss.ru/grammar/index.php

additionalprofit.ru
boss-united.ru
clear-agent.ru
clearagent.ru
face-apple.ru
fightagent.ru
power-update.ru
programmprofit.ru
software-boss.ru
syntaxswitch.ru
window-switch.ru

http://powerprogramm.ru/make/index.php

http://jaobsofterty.ru/in.cgi?2

http://programmengineering.ru/check/index.php

Sometimes outside of .ru domains:

borrowme.bij.pl
buyordie.osa.pl
borrowme.bij.pl
buyordie.osa.pl
lavanda.345.pl
ringostart.osa.pl
aswet.osa.pl

What to do?

If you are seeing any of these redirects, we recommend that you check your .htaccess files ASAP and remove the offending code. You probably also have backdoors hidden in various directories so you have do to a full clean up of the whole site, update WordPress, change all the passwords, etc.

If you are not sure, you can scan your site for free using Sucuri SiteCheck and if you need someone to clean it up for you and secure your sites, sign up here: http://sucuri.net/signup

Nothing new

Note that these .htaccess attacks are nothing new. We have been tracking them for years and we even did an article explaining how they work: Understanding .htaccess attacks.

It seems they are piggybacking on the latest timthumb.php vulnerabilities to increase the number of sites under their control. They also compromise outdated sites (specially WordPress, Joomla and osCommerce), so if your site is not updated, it can get hacked even if you don’t have the timthumb.php script.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Pingback: The Hypester’s technological migraine is finally over()

  • Pingback: allowupdate.ru suspicious redirect from admin area | Open Cart Know How()

  • Ed

    I am seeing similar redirects on godaddy wp sites now in wordpress 2014. In looking at the apache logs I see that a wp cron job is running a post request and then right after, i get all these redirects to .ru sites. I see other sites also coming up with same issue by googling the log entry for the .ru sites but I haven’t found a fix. It is looking like a server side initiated cron job, but there there is now no extra .htaccess files on the site. In fact, i deleted the hosting file so that I had it was completely empty and deleted but I still got the .ru redirects. I only was able to stop it by removing my domain name from the hosting account. I think godaddy’s servers are compromised. Anyone else seeing anything like this?

    • marina

      I have a same problem.I spent a week trying to resolve the issue.Did you fix yours?