tags:

views:

81

answers:

3
Q: 

Security issue with wordpress website - htaccess

Now I didn't do the website design but a couple of months ago I ported an existing website over to wordpress for a client of mine.

I got a call from a client today regarding their website, and some sort of a security problem.

The websites homepage loads up fine, but if you try to navigate to any other page it brings you to - http://secure.wheelerairservice.com/main.php.

The nav appears to still be linking to the appropriate page (when you rollover contact us, the link displays in the status bar as /contact-us) but it redirects to the above url.

Just wondering if anyone knows what the problem is, and who or what might have done this and how.

Any suggestions on how I could fix this?

thanks!

Ok I've looking into the problem some more and found that the .htaccess file had been replaced somehow. I'm just wondering how someone might have done this? via ftp access, wordpess admin account or some hole in wordpress, any thoughts?

A: 

If FTP has been used to access/modify the files in this wordpress site, then it could be more than possible that someone has got the username and password for FTP access and modified your .htaccess file. FTP is not secure at all. I would suggest using SFTP as a minimum.

Wordpress is not perfect (not many things are) but i highly doubt there would be a flaw like this, is possible but i very much doubt it.

I suggest you first, change your FTP username/password, upgrade wordpress to the latest version, change the default admin username to something else and change the password for the administrator user, ensuring that all passwords are at least 8-10 characters in length

Harry  2010-08-04 17:13:19
A: 

Change your passwords. See Hardening WordPress « WordPress Codex and FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation

songdogtech  2010-08-04 17:28:03
my work computer did have a virus about 2 weeks ago and wouldn't even start up... I ended up doing a restore. Do you think its likely the virus got a hold of the password.
Adam  2010-08-04 17:45:08
Could have been a keylogger. That's one vector I've seen and could happen with any type of website, really.
songdogtech  2010-08-04 17:53:42
Thanks for the help.
Adam  2010-08-04 19:08:58
+1  A: 

Typically when it's the .htaccess files that have been infected, it's usually the result of stolen (compromised) FTP credentials.

This usually happens by a virus on a PC that has FTP access to the infected website. The virus works in a variety of ways, but usually one of two.

First, the virus knows where the free FTP programs stores it's saved login credentials. For instance with FileZilla on a Windows XP PC, look in:

C:\Documents and Settings(current user)\Application Data\FileZilla\sitemanager.xml

in there you'll find, in plain text, all the websites, usernames and passwords that user has used FileZilla to access via FTP.

The virus finds these files, reads the information and sends it to a server which then uses them to login to the website(s) with valid credentials, downloads specific files, in this case the .htacces files, infects them and then uploads back to the website. Often times we've see where the server will also copy backdoors (shell scripts) to the website as well. This gives the hacker remote access to the website even after the FTP passwords have been changed.

Second, the virus works by sniffing the outgoing FTP traffic. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to see and steal the login information that way as well.

  1. Change all FTP passwords immediately
  2. Remove the the infection from the .htaccess files
  3. Perform a full virus scan on all PCs used to FTP files to the infected website
  4. If the website has been listed as suspicious by Google, request a review from Google's webmaster tools.

If the hosting provider supports it, switch to SFTP which encrypts the traffic making it more difficult to sniff.

Also, look at all files for anything that doesn't belong there. It's difficult to find backdoors, because there's so many different ones. You can't go by the datetime stamp either because these backdoors modify the datetime stamp of files. We've seen infected files with the exact same datetime as other files in the same folder. Sometimes the hackers will set the datetime stamp to some random earlier date.

You can search files for the following strings:

  • base64_decode
  • exec
  • fopen
  • fsock
  • passthru (for .php files)
  • socket

These are somewhat common strings in backdoors.

WeWatchYourWebsite  2010-08-04 22:19:59

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security