You learned about the importance of the .htaccess file in our blog post How to Access and Edit the Default WordPress .htaccess File. As you can imagine, an important file such as .htaccess can be a target for bad actors. In this article, we’ll point out cases and indicators of compromise that affect this file.
Malicious redirects
Attackers can setup redirects on the .htaccess files that will redirect visitors based on specific conditions. The final destination can be a website containing other malicious content, spam, phishing campains, or other types of scam.
Those redirects will rely on the function RewriteRule and will sometimes be preceeded by the conditions set by RewriteCond, just as a default .htaccess file would do. This can make spotting those bad codes hard for users that aren’t familiar with the website’s configuration.
Examples of this type of malware are (URLs were invalid):
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} ^http://[w.]*([^/]+)
RewriteCond %{HTTP_HOST}/%1 !^[w.]*([^/]+)/$ [NC]
RewriteRule ^.*$ hxxp://celeirodoalgarvio[.]com/azzf.html?h=717013 [L,R]
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^([A-Za-z0-9-]+).txt$ hxxps://getyourprizenow[.]life/?u=y2ykaew&o=2xup89r&m=1&t=m2rdhta [L]
RewriteRule ^([A-Za-z0-9-]+).htm$ hxxps://getyourprizenow[.]life/?u=y2ykaew&o=2xup89r&m=1&t=m2rdhta [L]
</IfModule>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} "iPhone|android"[NC]
RewriteRule ^(.*)$ hxxp://176[.]102[.]34[.]137/safezone [L,R=302]
SEO spam
Very similar to the malicious redirects case, this bad code will target search engines instead of the end user, redirecting their crawling attempts to malicious pages written to boost other websites, usually related to scams.
In the condition you’ll find it looking for the search engines on referrers and user-agents, as in the following example:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [NC,OR]
RewriteCond %{HTTP_REFERER} (yahoo|bing|google|msn|aol)
RewriteRule ^(.*)$ default.php [L,QSA]
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [NC,OR]
RewriteCond %{HTTP_REFERER} (yahoo|bing|google|msn|aol)
RewriteRule ^(.*)$ inc.php [L,QSA]
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [OR,NC]
RewriteCond %{HTTP_REFERER} (yahoo|bing|google|msn|aol)
RewriteRule ^(.*)$ inc.php [L,QSA]
RewriteCond %{HTTP_USER_AGENT} (bing|google|yahoo|msn|aol) [OR,NC]
RewriteCond %{HTTP_REFERER} (bing|google|yahoo|msn|aol)
RewriteRule ^(.*)$ inc.php [L,QSA]
Allowing bad code
Sometimes the attacker wants to make sure to protect the malicious file they uploaded to the site from competitors or other people poking around. Or they want to make sure that their malicious file will be opened by overriding the parent directory configuration.
For those cases a FilesMatch condition will be created and specific files or extensions will be listed, as in the example below:
<FilesMatch ".(py|exe|php)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(about.php|radio.php|index.php|content.php|lock360.php)$">
Order allow,deny
Allow from all
</FilesMatch>
What to do if my site was infected?
If you find the .htaccess file on your website was compromised the first thing you should do is to restore it to a working version, which will preserve your site’s permalinks and redirects. Please refer again to How to Access and Edit the Default WordPress .htaccess File. And then follow these steps:
- Change all admin user’s passwords and make sure you’re using multi-factor authentication.
- Review all WordPress users and remove the ones you don’t recognize (especially the admin ones).
- Review for unused or unknown themes and plugins and remove anything unnecessary or unknown.
- Reinstall all your plugins since they may have been compromised.
- Review your theme for added or changed files that weren’t added or changed with your consent.
- Reinstall WordPress core files.
At Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. The Jetpack Security bundle is one great WordPress security option to ensure your site and visitors are safe. This product includes real-time malware scanning, site backups, comment and form spam protection from Akismet, brute force attack protection, and more.