Recent reports of yet another type of malicious hacker attacks have come to light. If you’re self-hosting WordPress or any other type of website, you need to check your websites now for a hidden directory. A directory named “.files” has been found on numerous sites that contain spam links.
David Dede, of Sucuri.net, discovered this issue and reported it to WPSecurityLock. His company initially thought it was an isolated incident, but soon realized it was wide spread.
They put their Web Integrity Monitoring service to work and found over a thousand websites infected with spam links. The list of infected websites seems to be growing. They’ve found the spam links on sites hosted at many hosting companies and on all types of web applications (not just WordPress). The bad hackers do not seem to be prejudice of where they do their damage.
How to see if your website is infected with these spam links…
You can easily check your website by logging in via FTP and look for a directory (folder) called .files. You will find this directory inside your website’s root directory towards the top (if listed by alphabetical order).
If you find this directory, you’ve been infected with this new string of attack. You can click to open this directory and you might see hundreds of .html files that all contain spammy links.
They may look something like this…
Also, check your directories for any unknown names or files inside them. Although this directory has been found, we are unsure at this time if there are other names we should be looking for.
Another solution: Have your site checked an automatically monitored by signing up for Sucuri’s Web Monitoring Service. They’ve given us a special discount code of only $7.99 a month. Use our affiliate link: http://www.wpsecuritylock.com/sucuri
How to fix your hacked WordPress site…
- If you’ve found the folder called .files, delete it and it’s contents immediately.
- Look through your other directories for hidden/unknown directories that contain spammy .html files.
- Look through your directories for any “trigger” .php files. (The bad guys seems to be injecting goofy named .php files, such as kip.php, fwwkd.php, etc). These files trigger this injection of new files). If you find any unwanted .php files, delete them now!
- Also search through your .php files for any code that starts with base64_decode and remove it.
According to David Dede, the intent of this malicious attack is to gain search engine page rank by using an SEO Spam tatic.
He also stated that this string of attack seems to be in conjunction with this code: MW:Spam:S2. According to his research, it reads the content of the file only if it’s being requested by a search engine.
We’d like to thank David Dede of informing us of this latest attack to share with our community.
If you’ve seen any other unusual files on your website, please share them with us. Just leave your comment below.