A common .htaccess hack

We see this problem a fair bit, both on new hack repair client’s sites and being discussed on places like Facebook. So I figured I’d give a quick tutorial on how to identify and fix the problem.

The Symptom

When you look up your site on a search engine, you find your web address associated with a list of sites which are definitely not yours.

The Exploit

This is often caused by a hacker getting into your site and making changes to a special hidden file in the root level of your site named .htaccess

The .htaccess file can be used for a lot of things – blocking specific IP addresses or series of IP addresses, preventing directory listings, preventing hotlinking… and of course, redirecting traffic.

The hacker script inserts a few lines which redirect all traffic from the big search engines to other sites.

Immediate Solution

Log in to your web host’s cPanel or similar, and go to File Manager. (These steps can also be done via FTP if you have an account). Go to the root level of your WordPress installation. You should see your .htaccess file – if not, make sure that you have the ability to see hidden files (you may have to chat with your web host).

Open the .htaccess file and look for three lines similar to these:

RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^(.*)$ antiquate-cashers.php?$1 [L]


The first two lines basically say “If anyone comes to your site from any of these major search engines….”
and the third line says “Go to this page”.  The file name in that third line is automatically generated by the hack script, and like the one above typically has a nonsense name.

When you go look at that page, it’s going to be 100% hacker code.

Delete those three lines from your .htaccess file, or put a # at the beginning of each line, which indicates that it’s a comment, not to be acted upon. Save .htaccess.

Check the creation date on that nonsense-named file. Chances are that there are a bunch of files strewn about your site structure which were created on the same date and contain similar looking hacker code. Delete them all. Consider uploading fresh, clean copies of WordPress, all your plugins, and your themes, as it’ll ensure that you didn’t miss any in those parts of your site. That will take care of most of the offending files, but you’ll also have to look around in other parts of your wp-content folder such as Uploads.

If you don’t get them all AND remove the security hole they got through in order to hack you in the first place, then the problem will just come back later.

Long term solution

The long term solution of course is to sign up here and we’ll do our best to keep your site from getting hacked in the first place! We’re also available to do hack repairs on your site if you’re in need. Contact us any time.

An old, highly exploitable DoS attack makes a comeback

A six-year-old DoS vulnerability affecting WordPress and Drupal made an appearance on a list of top 10 network attacks by volume in Q2. This vulnerability is particularly severe because it affects every unpatched Drupal and WordPress installation and creates DoS scenarios in which bad actors can cause CPU and memory exhaustion on underlying hardware.

Despite the high volume of these attacks, they were hyper-focused on a few dozen networks primarily in Germany. Since DoS scenarios require sustained traffic to victim networks, this means there’s a strong likelihood that attackers were selecting their targets intentionally.

Source: https://www.helpnetsecurity.com/2020/09/25/malware-detections-q2-2020/

Critical Vulnerabilities Patched in XCloner Backup and Restore Plugin

The WordFence team found this set of vulnerabilities in mid August and initially reached out to the plugin’s team on August 17, 2020, providing full disclosure details on August 18, 2020. The plugin’s team quickly released an initial patch on August 19, 2020 to resolve the most severe problem, and they released an additional patch on September 8, 2020 to resolve the remaining issues.

This is considered a critical security issue that could lead to remote code execution on a vulnerable site’s server. If you haven’t already updated, we highly recommend updating to the fully patched version, 4.2.153, immediately.

No clients of ProtectYourWP.com are affected by this vulnerability.

How to Keep Your Stuff Safe While You’re at College (or anywhere, really)

There’s a well written article by iFixIt.com aimed at college students, but really it’s applicable to everyone who ever does anything in public space. Granted, that’s not happening as much with Covid19 precautions, but these suggestions should be part of your regular routine anyway.

Of particular note is the section on USB chargers and thumb drives. Many are not aware of the potential dangers, and some good tips are given on how to protect yourself.

See the article at https://www.ifixit.com/News/43770/how-to-keep-your-stuff-safe-while-youre-at-college

Why do we back up?

A perfect example from my security focused Twitter feed today:

well <explitive> my server colocation facility just burned down

“halon is great for when equipment is on fire, but not as useful when the whole entire west coast is on fire”

This of course is during the raging wildfires on the US west coast.

Frequent offsite backups are also a critical method of fighting Ransomware attacks.

FYI, we keep backup copies of all sites in several locations, using several different backup methods.

Google Chrome Bug Could Let Hackers Bypass CSP Protection; Update Web Browsers

If you haven’t recently updated your Chrome, Opera, or Edge web browser to the latest available version, it would be an excellent idea to do so as quickly as possible.

Cybersecurity researchers on Monday disclosed details about a zero-day flaw in Chromium-based web browsers for Windows, Mac and Android that could have allowed attackers to entirely bypass Content Security Policy (CSP) rules since Chrome 73.

Full article: https://thehackernews.com/2020/08/chrome-csp-bypass.html

Microsoft Defender can ironically be used to download malware

A recent update to Windows 10’s Microsoft Defender antivirus solution ironically allows it to download malware and other files to a Windows computer.

In a recent Microsoft Defender update, the command-line MpCmdRun.exe tool has been updated to include the ability to download files from a remote location, which could be abused by attackers.

With this new feature, Microsoft Defender is now part of the long list of Windows programs that can be abused by local attackers.

Full story at https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-ironically-be-used-to-download-malware/

TeamViewer fixes bug that lets attackers access your PC

Popular remote access and troubleshooting app, TeamViewer has patched a vulnerability that could let attackers quietly establish a connection to your computer and further exploit the system.

When successfully exploited, this bug would let an unauthenticated, remote actor execute code on your Windows PC, or obtain password hashes (e.g., for cracking via brute-force).

Full article: https://www.bleepingcomputer.com/news/security/teamviewer-fixes-bug-that-lets-attackers-access-your-pc/

Work From Home Alert: Critical Bug Found in Old D-Link Router Models

Researchers find six bugs in consumer D-Link DIR-865L Wireless AC 1750 Dual Band Cloud Router.

D-Link is urging customers to replace its now obsolete line of DIR-865L Wireless Routers in reaction to a recently discovered critical command-injection bug that leaves users open to a denial-of-service attack.

The routers, first introduced in 2013, reached end-of-life support in Feb. 2016. In Aug. 2018, D-Link released a patch (1.20B01 beta) to address multiple security bugs. On Friday, Palo Alto Networks’ Unit 42 researchers publicly disclosed six additional bugs – one rated critical and five rated high severity.

“The vulnerabilities were found in the DIR-865L model of D-Link routers, which are meant for home network use,” researchers wrote. “The current trend towards working from home increases the likelihood of malicious attacks against home networks, which makes it even more imperative to keeping our networking devices updated.”

Full article: https://threatpost.com/work-from-home-alert-critical-d-link-bug/156573/