I’ve been working with a client on a performance tuning project, and it looks like this was in fact a hack that is slowing down the site, this is the first time I have seen this hack technique so I thought I would document it for the wider WordPress community.
The hack is in two parts, the first is a php directive in .htaccess the second is a base64 encoded file which holds the payload.
.htaccess
The hacker has added hundreds of white spaces at the bottom of the .htaccess and then buried a directive in there so a casual look at .htaccess won’t show the code up. At the bottom of the file I found:
php_value auto_append_file /var/www/html/{SITEDETALSREMOVED}/wp/Thumbs.db
This directive tells the webserver to append the file Thumbs.db to all php pages it loads up. This means that a little piece of code is added to each web page served up.
Thumbs.db
Thumbs.db is normally a thumbnail file often included on windows servers, I have uploaded this by accident a number of times, so it looks like an un-needed but safe file. in the case of this site, it has a base64 encoded payload of malware.
CODE DELTED BECAUSE MY MALWARE SCANNER KEEPS THINKING I HAVE BEEN HACKED 🙂
So this malware was being loaded onto each page as an additional footer.
Check Your Site Now
If you are seeing a performance hit, please check your .htaccess for this hack.