One of our Wordpress websites running on the Apache server was recently hacked via PHP injection.
Hackers have set up hundreds of URLs redirected to external e-commerce that sold watches; URLs are of the form http://www.example.com/eta.php?some_file.html; eg http://www.example.com/eta.php?Jewellery-Watches-Others-c138-4.html.
We think that we have removed all the infected PHP code. However, the hacked URLs, instead of returning 404, now redirect 301 to http://www.example.com/?some_file.html(that is, the same URL without a part eta.php) and finally show the websiteโs homepage, returning the code 200. Please note that my File .htaccessseems completely clean.
Where is this phantom redirect located?
I would be very grateful to everyone who could help me understand what is happening. My concern is that we have not completely destroyed the hack.
Thanks for attention!
ADDITIONAL DETAILS
The file is eta.phpnot found anywhere on the server. Replacing eta.phpwith a random file (e.g. ate.php) in the hacked URLs gives the 404 code as expected.
In the end, I managed to get the hacked URLs to return 404 using the following .htaccess rule:
RewriteCond %{THE_REQUEST} /eta\.php
RewriteRule ^(.*)$ - [R=404,L,NC]
Interestingly, this other rule did not work, as if the hack somehow messed up with %{REQUEST_URI}:
RewriteCond %{REQUEST_URI} ^/eta\.php [NC]
RewriteRule (.*) - [R=404,L]
source
share