I have a web site built with codeigniter, and I installed last year wordpress to have a blog. But since 3 weeks ago the problem began when I tried to access my admin site and appear the codeigniter 404 error. So I realized that the problem was the .htaccess an somehow was written by something. And I think is wordpress, I remove the code that was added and everything was fine, but again the htaccess was written, so I deleted my blog folder that contains all wordpress file and the problem was there again, then I delete the wp_ tables from my Database, but the problem was still there.
The code that has been written is:
# BEGIN SYSTEM API
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^al/(.*)$ myfolder/wp-inf.php?$1 [L]
# END SYSTEM API
I searched for the wp-inf.php file and I found something like this:
<? eval(base64_decode("ICAgIGVycm9yX3JlcG9ydGluZygwKTsgICRscnUgPSAiZ2c.....")); ?>
I don’t know what to do or where to find the file that has been writing my htaccess. I have been cleaning and deleting some files, but nothing.
Hope you can help me with this.
Thank you
Edited:******
If I decode what is inside base64_decode appear this:
error_reporting(0); $lru = "gg/4623696-260514551155404-520n89823525745/765s127r625o9
(edited)
}echo $result; exit; }
Well creating a new server and transfering the data wont help because its the files that are writing your htaccess and not an access issue. What you have to do is search all your files for ‘base64_decode’ and ‘eval’, and see if these files are default from wordpress or are created and named to confuse for example there is no file called wp-inf.php by default in wordpress. These 2 functions are 90% of the times used for malicious intentions.
You can use this decoder to decode the actual code and see what the intention was.
https://www.base64decode.org/
Another way would be to compare your folder structure with the orignal wordpress structure.
To avoid this in future, try never to use any nulled theme or plugins.