3.3.1 Hacked by saveprefs.ru redirect

  • Hi everyone, I have just been hacked. I am a web developer, and have about 20-30 WordPress sites, all of them running 3.3.1. They all seem to have been hacked. Here’s one you can look at, if you search google for harmonyhomes.net and click on the link from Google, you will see that it goes to https://saveprefs.ru/astro/index.php first then to msn.ca. Can anyone please help me find the code? I really don’t want to have to try to restore all my sites from backups.

    Thank you all.

    Jamie

Viewing 15 replies - 46 through 60 (of 98 total)

  • @djab

    Can you tell me how to implement the cron code? Not familiar with that.

    @pkwooster

    Thanks for the plugin. It showed that only the .htaccess is being modified. I’m also starting to think that the problem is related to hosting.

    @impackt I can overwrite the .htaccess on my server. But it really makes no difference at all.

    @pkwooster Wow, these are really helpful plugins, thanks.

    @urbaanalmelo Once you overwrite it, download it immediately and see what it’s contents are.

    @impackt I did that over and over again. And the contents are exactly as they should be. Untill the file gets replaced again an hour later.

    And I’ve changed all my passwords again and again today, so that’s not it.

    @urbaanalmelo Can you post the contents of your .htaccess here?

    Right now my .htaccess looks like this

    # BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
    Thread Starter Jamie Edwards

    (@jamieedwards)

    Same thing is happening to me. I delete the .htaccess file, and upload a fully clean one, then set the permissions to 444 and 30 minutes later it is corrupted again.

    I am thinking this is a hosting/ftp hack rather than a WP hack, I know I am repeating myself, but I have 30 or so websites, about half (15) are WP sites, the others are just static sites. Well even the static non WP sites have a .htaccess file uploaded into their root folders. It’s like if the malicious script figures out that it is a root folder by finding a index.php or index.html file, then it places a .htaccess file in the folder. I deleted all the .htaccess files, searched for every kind of odd named file, changed all my passwords, and still 30 minutes later there is new .htaccess files that have been uploaded. It has to be some kind of Apache vulnerability.

    @urbaanalmelo

    It seems as if this attack also affected 404 settings. I’m thinking that maybe my files didn’t stop changing until I added 404 directions to my .htaccess file.

    Upload the code below, check again for PHP scripts, then try your site. Also try visiting non-existent URLs to see if the 404 actually tries to work.

    # BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

ErrorDocument 404 /down.html
# END WordPress

    @impackt I’m not having issues with 404’s, but I added the piece of code you suggested. I don’t really see how that could be a solution, but it seems to have worked for you, so let’s wait and see.

    Thanks for the help btw.

    Thread Starter Jamie Edwards

    (@jamieedwards)

    Ok, I just got off the phone with the security team at 1and1. Here’s what they said. He did a security scan and found two shell sessions that were running. He said that he found two of my sites that had the timthumb vulnerability open. I had thought I had patched all of them months ago, but aparaently there were two of my sites that I missed. He said that with this vulnerability, it allows hackers to execute shell commands with my user privileges at their hearts content.

    He killed the two shell sessions, and set the permissions on the timthumb files to 200. So I will now go and find the files, delete them, re-upload the latest version from google code, change all my passwords again, and delete all the .htaccess files! Whew, i sure hope that works! ??

    I will keep everyone posted.

    @jamieewards Hope it works out for you. “Unfortunately” I don’t have timthumb issues, so no solution in sight for me as yet.

    Thread Starter Jamie Edwards

    (@jamieedwards)

    I am finding the timthumb.php file in the root of the theme file in this case it was /wp-content/themes/Nova/timthumb.php.

    Here is where I am getting the new timthumb.php file from.https://code.google.com/p/timthumb/

    I hope this works for all of us! ??

    Thread Starter Jamie Edwards

    (@jamieedwards)

    @urbaanalmelo, can you search your site and make sure you don’t have a timthumb.php file somewhere that you were unaware of? The site that it was on, I didn’t even know I had it in there. I don’t use it, but it was just part of the theme file that I used.

    LOL, maybe my guardian angel fixed mine for me. I find it extremely weird that my solution didn’t work for anyone else.

Viewing 15 replies - 46 through 60 (of 98 total)
  • The topic ‘3.3.1 Hacked by saveprefs.ru redirect’ is closed to new replies.