Today, I got another wordpress that stop working and start giving 404 error. Previously client got it fixed by removing .htaccess from his installation and get it working. I thought he might mess his wordpress himself. But when we got similar error today I search and little and find that in .htaccess there is a php injected to wordpress which reside at “/tmp/25454b22bf39c75795851f39d5e347c4”, after opening the file it looks like professional white script. But knowing computer programmer, only a hacker or idiot can place an important file in /tmp folder. Anyways, I don’t know the cause of hack yet, but I saw following pattern:
1. Hack is known for wordpress and OsCommerce as of now. [I personnely see only wordpress below 3.0.5 been hacked, rather more specific to 3.0.4 version]
2. Hack need .htaccess file and /tmp folder, so only Linux [can they use windows temp? not know] and surely for Apache user it is an issue.
I cannot say wordpress or oscommerce is broken, but definately there is a control upload script that copy file to /tmp folder which is usually public readable. and then getting .htaccess is problem.
So if you are on Linux/apache and your software does the .htaccess read/write then you need to be beware.
1. Make your .htaccess read only by user and group at most not for public
2. Create a empty non writable file /tmp/25454b22bf39c75795851f39d5e347c4 so in case someone try to copy it fails as file already exists.
3. Change your Passwords
4. Upgrade your software to latest version
5. Do not upload any theme or plugin which is not from known or tested source.
6. Look for vendor recommendation before installing any plugin.
Phew, so far my wordpress is safe, been on windows hosting I am sure the hack will be different if any, lets wait and see.
EDIT: After few days of writing this article I found few instance where I can safely says that it is not a wordpress or OsCommerce hack, but rather a hack related to either Linux Operating System, or Apache Web server or Plesk Control panel. For sites I see this hack only those three are in common. All those site I saw get hacked in above way are not written by one developer, not belong to one server [except they all use plesk and apache], not using only Mysql [do you really thing mysql query can create ,htaccess?] So, I give Clean chit to any Open source software as of now from this hack. This is indeed a server hack, Still no reason known to me.
Good luck guys !!!