Your WordPress website is getting redirected to distributioncorporate.ru
So you just noticed or got told that your website is redirecting its users to distributioncorporate.ru. You are not alone, it is a new hack affecting lots of WordPress users lately. The vulnerability lies in outdated versions of the popular TimThumb library. If you got hacked, you have a plugin or theme which has an outdated TimThumb lib.
Instructions to fix the Hack
Disclaimer: follow these instructions at your own risk. Back up your files before replacing / editing them.
- Change the file permission of (chmod) .htaccess to 644. Create a new .htaccess and overwrite the one on your server with the new one.
- Get the latest version of TimThumband replace the existing ones with it - be it in plugins or themes or anywhere else. Log in to your shell account and do this:
$ find /home/accountname/website/ -name "thumb.php"
$ find /home/accountname/website/ -name "timthumb.php"
If you find any, replace them with the latest version.
thumb.phpcould be some other file too, make sure to confirm its is TimThumb before replacing it.
- Delete these files:
Analysis of the Hack
The cause of the hack seems to be an outdated TimThumb version on your server. It can be found in a theme or plugin as either timthumb.php or thumb.php. In the case I analyzed TimThumb was found in The Morning After theme, WordPress Popular Posts, and WP Mobile Detector. The Morning After theme was the active theme, so I just got the latest version of TimThumb and replaced with it. Replaced timthumb.php for WordPress Popular Posts too. WP Mobile Detector was an inactive plugin, so I just deleted it.
The hack edits the WordPress .htaccess and adds redirection instructions to all traffic coming from a long list of websites to be redirected to http://distributioncorporate.ru/kloac/index.php. And it does a 301 redirect (permanent redirection), which can have seriously negative impression and SEO outcomes. Also it re-configures your website to be forwarded to http://distributioncorporate.ru/kloac/index.php for all kind of errors and statuses (404, 500 etc) on your website.
If you open .htaccess and take a look at it, you are most likely to see nothing odd in there. But look at its filesize , now it's is more than 5 KB! It should have been about 500 Bytes only. Look at the file again, see that scrollbar? Scroll down to find the additional code added by the hack.
If you just edit and try uploading the .htaccess file, it will fail. That's because the hack has chmodded .htaccess to 444, which means you can only open it now, not edit or delete it. Fortunately fixing that is pretty straight forward, just chmod it back to 644. If you are using an FTP client you will get the option under File permission or something named like that.
It also drops two files in the
sm3.php. There are also reports of finding
sm3.php in the current theme directory. I really didn't care to study them in detail, most probably they were backdoors or resurrectors. Just delete them!
If you have followed the instructions above, you should be safe - for now.