• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
.Htaccess Injector on Joomla and WordPress Websites

.htaccess Injector on Joomla and WordPress Websites

May 23, 2019Eugene Wozniak

295
SHARES
FacebookTwitterSubscribe

During the process of investigating one of our incident response cases, we found an .htaccess code injection. It had been widely spread on the website, injected into all .htaccess files and redirecting visitors to the http[:]//portal-f[.]pw/XcTyTp advertisement website.

Taking a Look at the .htaccess Injector Code

Below is the code within the ./modules/mod_widgetread_twitt/ index.php file on a Joomla website. This code is responsible for injecting the malicious redirects into the .htaccess files:

Snippet 1

This code is searching for an .htaccess file. If found, this code will place malicious redirects in the file immediately after “# BEGIN WORDPRESS”.

Reaching the address hXXp://recaptcha-in[.]pw/bash/include/xtaccess (see the snippet above), we identified the next .htaccess injection with the accompanying .php instructions:
Snippet 2
The first part of the code contains a pattern which is intended to be placed in each .htaccess file. Right afterwards, we see:

Snippet 3

This section defines which files and folders will be searched — $wp stands for WordPress file structure and $jm stands for Joomla file structure.

If we continue to check the code at hXXttp[:]//recaptcha-in[.]pw/bash/include/xtaccess, you may also notice the following:

Snippet 4

Snippet 5

This last part of the code searches for more files and folders, trying to search folders in a deeper level.

Snippet 6

Conclusion

While the majority of web applications make use of redirects, these features are also commonly used by bad actors to generate advertising impressions, send unsuspecting site visitors to phishing sites, or other malicious web pages.

If you’re experiencing malicious redirects or other similar issues on your website and need a hand cleaning it up, let us know — we’d be happy to help.

295
SHARES
FacebookTwitterSubscribe

Categories: Joomla Security, Website Security, WordPress SecurityTags: Hacked Websites

About Eugene Wozniak

Eugene Wozniak is Sucuri’s Security Analyst who joined the company in 2016. His main responsibilities include finding malware providing efficient cleanup procedures for Sucuri’s customers, and outlining working solutions for website security. Eugene`s professional experience covers more than a decade of web hosting experience, helpdesk support and web hosting security. When Eugene isn’t working on customers’ security, you might find him creating 3-D art for games and various indie projects, or revisiting his world in Stalker Lost Alpha. Connect with him on LinkedIn.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

Joomla Security Guide

WordPress Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.