New Type Of Hack

I’ve been working with a client on a performance tuning project, and it looks like this was in fact a hack that is slowing down the site, this is the first time I have seen this hack technique so I thought I would document it for the wider WordPress community.

The hack is in two parts, the first is a php directive in .htaccess the second is a base64 encoded file which holds the payload.

.htaccess

The hacker has added hundreds of white spaces at the bottom of the .htaccess and then buried a directive in there so a casual look at .htaccess won’t show the code up.  At the bottom of the file I found:

php_value auto_append_file /var/www/html/{SITEDETALSREMOVED}/wp/Thumbs.db

This directive tells the webserver to append the file Thumbs.db to all php pages it loads up.  This means that a little piece of code is added to each web page served up.

Thumbs.db

Thumbs.db is normally a thumbnail file often included on windows servers, I have uploaded this by accident a number of times, so it looks like an un-needed but safe file. in the case of this site, it has a base64 encoded payload of malware.

CODE DELTED BECAUSE MY MALWARE SCANNER KEEPS THINKING I HAVE BEEN HACKED 🙂

So this malware was being loaded onto each page as an additional footer.

Check Your Site Now

If you are seeing a performance hit, please check your .htaccess for this hack.


				

Get A No Obligation Quote

Do You Need Help With Your WooCommerce Site?

Click through to the next page and complete the form to get a free no obligation quote to fix any issue you are having with your WooCommerce site.