WordPress sites with .htaccess hacked

The TimThumb.php vulnerability is causing a lot of WordPress sites to get compromised with the superpuperdomain.com and superpuperdomain2.com remote JavaScript injection.

However, that’s not all that it is doing. On many of the sites we are analyzing, the .htaccess file is also getting modified to redirect search engine and organic traffic to some Russian domains. Here is what we’re seeing in the compromised .htaccess files:

If you are not sure what it is doing, it is basically redirecting any crawler (like Googlebot) and all your error pages to generation-internet.ru. The Russian domain is changing often and redirecting to places like http://programmpower.ru/force/index.php, powerprogramm.ru, programmengineering.ru, programmpower.ru, software-boss.ru and many others.

Here is a small list we have collected:

http://software-boss.ru/grammar/index.php
additionalprofit.ru
boss-united.ru
clear-agent.ru
clearagent.ru
face-apple.ru
fightagent.ru
power-update.ru
programmprofit.ru
software-boss.ru
syntaxswitch.ru
window-switch.ru
http://powerprogramm.ru/make/index.php
http://jaobsofterty.ru/in.cgi?2
http://programmengineering.ru/check/index.php

Sometimes outside of .ru domains:

borrowme.bij.pl
buyordie.osa.pl
borrowme.bij.pl
buyordie.osa.pl
lavanda.345.pl
ringostart.osa.pl
aswet.osa.pl

What to do?

If you are seeing any of these redirects, we recommend that you check your .htaccess files ASAP and remove the offending code. You probably also have backdoors hidden in various directories so you have do to a full clean up of the whole site, update WordPress, change all the passwords, etc.

If you are not sure, you can scan your site for free using Sucuri SiteCheck and if you need someone to clean it up for you and secure your sites, sign up here: http://sucuri.net/signup

Nothing new

Note that these .htaccess attacks are nothing new. We have been tracking them for years and we even did an article explaining how they work: Understanding .htaccess attacks.

It seems they are piggybacking on the latest timthumb.php vulnerabilities to increase the number of sites under their control. They also compromise outdated sites (specially WordPress, Joomla and osCommerce), so if your site is not updated, it can get hacked even if you don’t have the timthumb.php script.

27 comments
  1. currently hacked with 5 sites on Bluehost. Deleted everything in dirs of domain and still redirecting. Their customer service not very helpful..

    1. Wonder if something is going on across Bluehost. I am having the same problem, same redirects. Deleted the .htaccess files, all my themes, plugins, reinstalled WordPress. Checked the code on almost all the probably files…still can’t get rid of it.

      1. Same here, it sucks cant afford paying for cleanup. same again and again got hacked. 8 sites, compromised.

        1. Same thing here. My WP-blog, hosted at Bluehost, was hacked last week. I was able to remove all the added files such as udp.php etc., and fixed the .htaccess file. However, every day after the initial hack the .htaccess file is updated with redirect code. I have changed the passwords, updated WP security keys, changed FTP password, updated timthumb.php, updated WP to 3.2.1, but the .htaccess file keeps getting updated/hacked every afternoon. I have chatted with Bluehost every night, but they are not able to fix this or tell me how to fix it. I presume they have no clue how this happens. This is very frustrating.

          1. Argh! Bluehost is my host as well and they can’t figure stuff out. They know it’s an .htaccess hack but they don’t know how it got in or where to find the stupid script that makes it keep coming back!

          2. Oh no! I’m with BllueHost and have lots of domains hosted there. I submitted a support ticket because I can’t find where the redirect code is. I hope they can find out the source!

          3. Why do we all have bluhost accounts with this happening? Seems a little fishy that most of us have mult domains and bluehost and we get hacked?

          4. This is not exclusive to BlueHost.  Dreamhost is being hit pretty hard right now as well.  I have nearly 100 sites that I have to go through and take care of this stuff on.

          5. Has anyone found out how to fix this? We are just doing a restore…. sucks to lose all of that informaiton. Spent days tracking down how it is recreating all of the .htaccess files and we can’t find it out at all.

  2. Bluehost here too. Been hacked 4 times. Just one domain though. My other domains haven’t been hit. But the first day i called Bluehost and the guy said “read this”. That’s it. So unimpressed. 

    Sucks to see all of you are having the same problem. 

  3. You can add this one to your list:

    guide-securesoft.ruCurrently hacked with all my sites on a Dreamhost server. I delete the .htaccess, but it’s back shortly after.

  4. add also these websites to the list: guide-securesoft.ru , securesoft-connection.ru ,softwareid.ru, id-software.ru, softwarepromo.ru

    the hack also try to add the following files : db_config.php, function_extra.php + some generated files to post emails.

  5. For any of you that have upgraded all your WordPress accounts, any timthumb.php files, clean up htaccess, changed permissions, changed user passwords, etc. and are STILL having problems…

    Look for a “version.php” file

    Inside you’ll see a Web Shell by oRb script

    I had to crawl through my server logs to figure this out and I’m surprised the sucuri didn’t have information on it yet, but I had to also remove these files to stop the htaccess files from getting hacked.

    Hope this helps someone

    1. Also I should mention that this vulnerability didn’t effect the native wordpress file wp-includes/version.php – it added another version.php to the themes folder, and in a couple cases right to the site root.

    2. Hi, I found a version.php in my themes thesis/lib/functions” directory. By I do not know what a “web shell by oRb script” looks like. Any chance its ok that its there?

  6. I have some sites hosted on brazilian host Locaweb, and all the websites I have there have been hacked, even the ones that don’t use WordPress.

    I already tried to delete/change preferences the .htaccess file, but it keeps returing to the redirections.

    Tried to contact the local support of Locaweb, but I’m still waiting for a response, for long hours…

    🙁

  7. I’m with bluehost and all 5 of my sites were hacked with the nasty .htaccess redirect file being regenerated within minutes every time after I restore my entire hosting account. Spent the whole day on with Bluehost support. They kept kicking me to the curb basically saying they can’t help me…but they did refer me to this site. Does anyone else find this suspicious? My sites are currently re-directing to http://ca-no.ru/example/status.php

  8. I also have blue host, but i never contacted support. All of my .htaccess file were changed to go to different site.  there was even one hidden in the directory of public_html.

  9. Bluehost is a dangerous place to thrust our files. Bluehost is hacked and they don´t know how to solve this. – I am moving all my sites from them!!!!!!!!!!!!!!

  10. I’m having the same issue as well with Hostmonster , i deleted all the directories under public_html directory and my .htaccess is still being modified by a backdoor script and redirected to .ru malware sites .. i think i have to move to another webhosting 🙁

    1. It is likely in the .htaccess a directory up from your site. This is not uncharacteristic of this type of attack. Your host will be able to take a look at that for you.

  11. I am seeing similar redirects on godaddy wp sites now in wordpress 2014. In looking at the apache logs I see that a wp cron job is running a post request and then right after, i get all these redirects to .ru sites. I see other sites also coming up with same issue by googling the log entry for the .ru sites but I haven’t found a fix. It is looking like a server side initiated cron job, but there there is now no extra .htaccess files on the site. In fact, i deleted the hosting file so that I had it was completely empty and deleted but I still got the .ru redirects. I only was able to stop it by removing my domain name from the hosting account. I think godaddy’s servers are compromised. Anyone else seeing anything like this?

Comments are closed.

You May Also Like