I am Hack Sparrow
Captain of the Internets.

WordPress hacked – getting forwarded to distributioncorporate.ru – Solution

Posted on August 28th, 2011 under Wordpress
Tags: ,

Your WordPress website is getting redirected to distributioncorporate.ru

So you just noticed or got told that your website is redirecting its users to distributioncorporate.ru. You are not alone, it is a new hack affecting lots of WordPress users lately. The vulnerability lies in outdated versions of the popular TimThumb library. If you got hacked, you have a plugin or theme which has an outdated TimThumb lib.

Instructions to fix the Hack

Disclaimer: follow these instructions at your own risk. Back up your files before replacing / editing them.

  1. Change the file permission of (chmod) .htaccess to 644. Create a new .htaccess and overwrite the one on your server with the new one.
  2. Get the latest version of TimThumband replace the existing ones with it - be it in plugins or themes or anywhere else. Log in to your shell account and do this:

    $ find /home/accountname/website/ -name "thumb.php"
    $ find /home/accountname/website/ -name "timthumb.php"

    If you find any, replace them with the latest version. thumb.php could be some other file too, make sure to confirm its is TimThumb before replacing it.

  3. Delete these files:
    /wp-content/uploads/_wp_cache.php
    /wp-content/uploads/sm3.php

Analysis of the Hack

The cause of the hack seems to be an outdated TimThumb version on your server. It can be found in a theme or plugin as either timthumb.php or thumb.php. In the case I analyzed TimThumb was found in The Morning After theme, WordPress Popular Posts, and WP Mobile Detector. The Morning After theme was the active theme, so I just got the latest version of TimThumb and replaced with it. Replaced timthumb.php for WordPress Popular Posts too. WP Mobile Detector was an inactive plugin, so I just deleted it.

The hack edits the WordPress .htaccess and adds redirection instructions to all traffic coming from a long list of websites to be redirected to http://distributioncorporate.ru/kloac/index.php. And it does a 301 redirect (permanent redirection), which can have seriously negative impression and SEO outcomes. Also it re-configures your website to be forwarded to http://distributioncorporate.ru/kloac/index.php for all kind of errors and statuses (404, 500 etc) on your website.

If you open .htaccess and take a look at it, you are most likely to see nothing odd in there. But look at its filesize , now it's is more than 5 KB! It should have been about 500 Bytes only. Look at the file again, see that scrollbar? Scroll down to find the additional code added by the hack.

If you just edit and try uploading the .htaccess file, it will fail. That's because the hack has chmodded .htaccess to 444, which means you can only open it now, not edit or delete it. Fortunately fixing that is pretty straight forward, just chmod it back to 644. If you are using an FTP client you will get the option under File permission or something named like that.

It also drops two files in the /wp-content/uploads directory: _wp_cache.php and sm3.php. There are also reports of finding wp.php and sm3.php in the current theme directory. I really didn't care to study them in detail, most probably they were backdoors or resurrectors. Just delete them!

If you have followed the instructions above, you should be safe - for now.

Relevant

9 Responses to “WordPress hacked – getting forwarded to distributioncorporate.ru – Solution”

  1. Terry of Astoria on August 28th, 2011 at 10:58 pm

    Thanks for posting the suggestions.
    I followed your directions pretty much to the letter.
    Luckily, I had an example .htaccess file to copy from another domain we host next door to this one. Thing is, I think it was pretty much an empty file.
    li (laughing inside)
    Thanks so much. My partner’s hard drive had failed losing our only (duh!) backup so if I couldn’t have repaired it, then I would have had to rebuild it! AAURGH!
    So far it seems to be fixed!
    –I’ll be watching your blog for any further developments.

  2. Captain on August 29th, 2011 at 9:22 am

    Hey Terry, glad you found the post useful. The .htaccess file should not be empty, if you are talking about a WordPress site. You should see something like this:

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

    That’s the default.

  3. Stela on August 29th, 2011 at 1:02 pm

    thanks sooooo much for this information. i thought i was going to have to start from scratch especially since i didnt get help from my hosting service. everything you said to do worked .. Thank Youuuu!!!!!!!!

  4. Captain on August 30th, 2011 at 10:00 am

    I am happy for you, sail on!

  5. Will on September 19th, 2011 at 2:14 pm

    Thanks so much! Should we leave the .htaccess file chmodded to 644, or change it back to 444?

  6. Captain on October 6th, 2011 at 10:20 am

    @Will, 644 looks good.

  7. Ryan on October 12th, 2011 at 11:40 pm

    Thank you thank you thank you.. Just started seeing this except it is now redirecting to: http://placecollocation.ru/ . This also affects Drupal installs with outdated timthumb

  8. Captain on October 13th, 2011 at 7:51 pm

    @Ryan, thanks for the update. Everyone should update TimThumb everywhere.

  9. Ramanathan on February 10th, 2012 at 10:52 am

    Hi All,

    After 3 days, i found the way to clear the Malware and htaccess Continous Hacks.

    This .htaccess is really dangerous malware, i can consult for any website which got malware or htaccess redirection.

    I can assure you, i can clear this .htaccess redirection in 48 hours.

    You can contact me at mail id
    ramanathancse2007@gmail.com. Remember there will be small charges for clearing malwares or redirection scripts.

Make a Comment