I’ve been working with a client on a performance tuning project, and it looks like this was in fact a hack that is slowing down the site, this is the first time I have seen this hack technique so I thought I would document it for the wider WordPress community.
The hack is in two parts, the first is a php directive in .htaccess the second is a base64 encoded file which holds the payload.
.htaccess
The hacker has added hundreds of white spaces at the bottom of the .htaccess and then buried a directive in there so a casual look at .htaccess won’t show the code up. At the bottom of the file I found:
php_value auto_append_file /var/www/html/{SITEDETALSREMOVED}/wp/Thumbs.db
This directive tells the webserver to append the file Thumbs.db to all php pages it loads up. This means that a little piece of code is added to each web page served up.
Thumbs.db
Thumbs.db is normally a thumbnail file often included on windows servers, I have uploaded this by accident a number of times, so it looks like an un-needed but safe file. in the case of this site, it has a base64 encoded payload of malware.
CODE DELTED BECAUSE MY MALWARE SCANNER KEEPS THINKING I HAVE BEEN HACKED 🙂
So this malware was being loaded onto each page as an additional footer.
Check Your Site Now
If you are seeing a performance hit, please check your .htaccess for this hack.
3 thoughts on “New Type Of Hack”
Thanks for the tip on this WPDude. I’m using some WP security plug-ins and they suggest certain permissions on .htaccess but I can’t use the more restrictive ones as they cut off the ability for certain other plugins to work with the file. Going to go check know to check to see if this hack snuck in.
I’ve had this hack issue with my website for 4-5 months now and it’s re-occuring every couple of weeks. Simply removing the append line from htaccess and thumbs.db temporarily fixes the problem but trying to find the source is very difficult. I’ve been going the code page by page on my site as time permits and logs/searches for modified files everytime it hits but still to find the source or a permanent solution. Let me know if you have any more luck.
I found this on one of my client’s site. I’ve removed everything manually, but if Chris is right… Then this will be a big pain. Has anyone found a solution?
Comments are closed.