Categories Photography Résumé About Me


27 Dec 2011


So, somehow someone was able to gain enough access to my hosting system that they were able to change read-only .htaccess files in my account. I'm not sure if that was something caused by elevated permissions on my shared server or if someone was able to exploit my content management system. (WordPress) It seems like it make have been the latter as the "infection" ceased when I upgraded WordPress and deleted the cache. It is possible the infection could have been via an exploit in the caching subsystem. I'll have to look into it further some other time. See update below.

This is what the "infection" looks like. The malicious code prepends and appends some stuff to your .htaccess files in all folders in the user's home dir where an .htaccess already exists. It does not seem to attempt to create new .htaccess files. The code prepended to the files is as follows.

RewriteEngine On

RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)

RewriteRule ^(.*)$ [R=301,L]

RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)

RewriteRule ^(.*)$ [R=301,L]

There are a lot of empty lines and white space which have been omitted from this text. The following is appended to existing .htaccess files.

ErrorDocument 400
ErrorDocument 401
ErrorDocument 403
ErrorDocument 404
ErrorDocument 500

The code it adds hijacks any requests that have been referred by a search engine and many common error responses. Although, the method used for replacing error documents is actually ignored by most Apache installations as it is invalid. It is important that you remove the infection immediately once detected. The process I used to remove the infection was to delete the .htaccess file for the time being. Then I upgraded WordPress to the latest version by downloading the latest code. You should update all software on your website if you happen to be hit by this exploit. If you can, remove TinyMCE altogether.


Then I extracted the code files from the archive.

tar -xzf latest.tar.gz

Then copied the files into my WordPress directory.

cp wordpress/. ~/path/to/wordpress/

I then went into the plugins section of the admin panel. I found my caching plugin and cleared the cache. Then I re-created my .htaccess file. (Update: Though as it turns out, this wasn't necessary.)

        RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ index.php?/$1 [L]

# compress all text & html
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css

# Disable FileETags
FileETag none

Options -Indexes SymLinksIfOwnerMatch ExecCGI

You're welcome to use my .htaccess file if you wish.

Update @ 5:19pm EST:

I have tracked the issue down to an aged installation of ZenPhoto. There was an unprotected upload script included in one of the default installed plugins. Specifically tiny_mce was included and it had an ajax upload handler script which from the looks of things was able to be used to upload a malicious script file. Suspicious files appeared here: zp-core/plugins/tiny_mce/plugins/ajaxuploader/

Filed under

comments powered by Disqus