skip to Main Content

I am facing issue with my WordPress websites.
Frequently .htaccess file is updating with the following deny code

<FilesMatch ".(PhP|php5|suspected|phtml|py|exe|php|asp)$">
 Order allow,deny
 Deny from all
</FilesMatch>
<FilesMatch "^(postfs.php|votes.php|index.php|wjsindex.php|lock666.php|font-editor.php|ms-functions.php|contents.php|jsdindex.php|wp-login.php|load.php|template-load.php)$">
 Order allow,deny
 Allow from all
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>

But default .htaccess code is

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>

If i change to default code also but after some time its again updating with deny code. And this .htaccess file is getting updated in all the folders of the file.

This is happening with all websites which are hosted in same multi-domain hosting plan.
This deny code is resulting in broken dashboard and another issues of avoiding modifications etc are raising.

3

Answers


  1. That is PHP Execution Security Policy. Check the settings in your security plugin.

    Login or Signup to reply.
  2. That appears to be the malware adding up .htaccess entry with following coding under root and wp-admin folder. Further, It’s also updating index.php file. So, I checked the process using htop. You will find a process keep on running locating php to your website directory as in my case, it was pointing to lock666.php file in root. Turned out file is missing. But somehow the code was in server memory and being executed every time, I updated the .htaccess file above.

    Hope, this helps.

    Login or Signup to reply.
  3. i think you have a cronjob that has been downloading the webshells, i have observed this behaviour since the beginning of August.

    Are you using c-panel to host your website? If so go check your cronjobs for a task that has a wget request to the domain hello.turnedpro.xyz.There is a bash script that is downloaded and executed to download the webshell from the domain and that’s why it keeps on coming back after you delete.

    Let me know how it goes.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search