security: .htaccess exploit? php script inside? how?

  • I didn’t know where to post this. I’m surprised with what happen at my host server! Yesterday I couldn’t open my wordpress site:

    500 Internal Server Error

    As I was investigating the logs I noticed something very strange at a line saying some type of error at the .htaccess. Then when I go and open the .htaccess file there is a 3000 line php script. These are the top lines:

    <?php
    //FaTaLisTiCz_Fx c99Shell v1 03.2008
    //Re-coded and modified By FaTaLisTiCz_Fx #[email protected]

    $sh_id = “RmFUYUxpc1RpQ3pfRnggYzk5U2hlbGwgdg==”;
    $sh_ver = “1.1 03.2008”;
    $sh_name = base64_decode($sh_id).$sh_ver;
    $html_start = ”.
    ‘<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.0 Transitional//EN”>
    <html>
    <head>
    <meta http-equiv=”Content-Type” content=”text/html; charset=windows-1251″>
    <meta http-equiv=”Content-Language”
    content=”en-us”><title>’.getenv(“HTTP_HOST”).’ – ‘.$sh_name.'</title>

    My security skills are limited, has anyone seen this before? In google I found this guy from romania because at some of the lines there is his/her website which downloads some file to my server. So, should I delete wordpress and re-install it again? I have a backup. thanks

Viewing 4 replies - 1 through 4 (of 4 total)

  • thats a root shell. What are the permissions of your .htaccess? Ill bet they are NOT 644. I’ll bet that you chmod’d your .htaccess to something looser to allow WP to write to it (permalinks) and then you never chmod’d it back.

    To answer some of your questions re: what to do now..

    If I were you, I would be combing over my files and my database with a fine toothed comb, after, and only after, I changed all of my passwords. And I do mean all.

    Thread Starter cocotu

    (@cocotu)

    yes that was my mistake I had .htaccess 777! I’m going to remove everything!

    And do please notify your web host, especially if you are in a shared hosting environment. It may be that they got in through your account, but it could be they got in through someone else’s hosting account. The shared server is only as secure as the most lax person using it unfortunately.

    Look at the date and time stamps on the files and make note of them. Download them to your computer and zip them up and send them to your web host. (I know my web host likes to get the involved files when there’s been a breach.)

    Hope you sort it all out.

    Thread Starter cocotu

    (@cocotu)

    I working on it! thanks

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘security: .htaccess exploit? php script inside? how?’ is closed to new replies.